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Preface 


TABLEAUX, the International Conference on Automated Reasoning with Analytic 
Tableaux and Related Methods, is a conference series that started in 1992 and has been 
held every year since then. The series brings together researchers interested in all aspects 
- theoretical foundations, implementation techniques, systems development and applica- 
tions - of the mechanization of reasoning with tableaux and related methods. Since 1995, 
proceedings of TABLEAUX have been published in Springer’s LNCS/LNAI series. 

TABLEAUX 2023 was the 32nd edition of the conference series and it was an in- 
person conference hosted by the Czech Technical University in Prague, Czech Republic, 
September 18—21, 2023. It was co-located with the 14th International Symposium on 
Frontiers of Combining Systems (FroCoS 2023). 

The Program Committee received a total of 43 submissions, comprising 33 research 
papers and 10 short papers. Each submission received on average three reviews in a 
single-blind process and was evaluated during program committee discussions. Even- 
tually 20 research papers and 5 short papers were accepted for presentation at the 
conference. 

This volume includes all the accepted research papers and short papers of 
TABLEAUX 2023. These include papers on proof theory, with deductive mechanisms 
ranging from tableaux, sequent calculi and extensions, and non-wellfounded proofs. 
Their objects of inquiry encompass a range of modal logics, including in the non-normal, 
intuitionistic, constructive and temporal settings, linear logic, MV-algebras, separation 
logic, first-order logics and results on cut-elimination, termination and complexity of 
proof search, term-forming operators and proof-theoretic semantics. Investigations also 
delve into formalised proofs, automated theorem proving for classical and non-classical 
logics, and their integration with machine learning and SMT solvers. In addition to 
the main track, this year's edition hosted a special track on Artificial Intelligence and 
Theorem Proving (AITP), inviting papers combining machine learning and related AI 
methods with standard TABLEAUX topics. 

This volume also includes abstracts of invited talks presented at TABLEAUX 2023. 
The five invited speakers, chosen by the Program Committee, were: 


— Marta Bílková (Czech Academy of Sciences, Czechia) joint with FroCoS 

— Chad E. Brown (Czech Technical University in Prague, Czechia) joint with FroCoS 
— Valentin Goranko (Stockholm University, Sweden) joint with FroCoS 

— Rosalie Iemhoff (Utrecht University, The Netherlands) 

— Roman Kuznets (Technische Universitat Wien, Austria) 


The following papers were selected by the Program Committee for awards: 


— Best Paper. Ian Shillito, Iris van der Giessen, Rajeev Gore and Rosalie Iemhoff. A new 
calculus for intuitionistic Strong Löb logic: strong termination and cut-elimination, 
formalised. 
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— Best Junior Researcher Paper. Bahareh Afshari, Lide Grotenhuis, Graham Leigh 
and Lukas Zenger. Ill-founded Proof Systems For Intuitionistic Linear-time Temporal 
Logic. 


The two awards were presented at the conference. 

We thank all the people who contributed to making TABLEAUX 2023 a success. We 
thank the Programme Committee and all additional reviewers for the time, professional 
effort and expertise they invested to deliver the high scientific standards of the conference 
and these proceedings. We thank the local organizers for making this event happen. We 
thank the invited speakers for their inspiring talks, and the Steering Committee for their 
helpful advice. We thank all the authors for their excellent contributions. Special thanks 
to Jens Otten who supported us with advice through all phases of the conference. 

We would also like to thank Springer for sponsoring the conference and publishing 
these proceedings, University of Innsbruck for providing the registration system, and 
the Czech Institute of Informatics, Robotics, and Cybernetics (CIIRC-CTU) for hosting 
and supporting the conference and its organization. 
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Abstracts of Invited Talks 


Epistemic Logics of Structured Intensional Groups: 
Agents - Groups - Names - Types 


Marta Bilkova 
Czech Academy of Sciences, Czechia 


In the overwhelming majority of contributions to multi-agent epistemic, doxastic, and 
coalition logic, a group is reduced to its extension, i.e., the set of its members. This 
has a counter-intuitive consequence that groups change identity when their membership 
changes, and rules out uncertainty regarding who is a member of a given group. Addi- 
tionally, this idealization does not reflect the structure of groups, or the structured way in 
which collective epistemic attitudes emerge, in the intended application of logical mod- 
els. We will outline an abstract framework in which we can lift this idealisation, namely 
replacing agent or group labels of epistemic modalities with names, or providing them 
with an algebraic structure relevant to types of collective epistemic attitudes in question. 
The resulting formalisms are essentially two-sorted, combining the language of labels 
of modalities and the language of epistemic statements. A fully abstract account of 
such epistemic logics can be given, linking two-sorted algebras (involving propositions 
and group labels/types of knowledge) with monotone neighborhood frame semantics, 
in terms of an algebraic duality. This can further be applied to obtain, e.g., a definability 
theorem or to design a multi-type proof theory for the basic logic. We further discuss 
several particular examples of algebraic signatures giving rise to interesting and useful 
variants of group knowledge. 


First-Order Instantiation-Based Tableau 


Chad E. Brown 
Czech Technical University in Prague, Czechia 


We present a tableau calculus for first-order logic with equality. The calculus is a fragment 
of the higher-order calculus that is the theoretical basis for the award winning higher- 
order automated theorem prover Satallax and its successor Lash. A key aspect of the 
calculus is that universal quantifiers only need to be instantiated with terms that occur on 
one side of a disequation on the current open branch. This makes the search instantiation- 
based (as no metavariables are introduced and no unification is used). We will give an 
overview of the completeness proof and how the completeness proof can be modified 
to justify various modifications to the calculus. Both Satallax and Lash make use of the 
SAT solver MiniSat to determine when the search is complete (i.e., when every branch 
of the tableau is closed). Superposition provers like Vampire and E and SMT solvers 
like CVC5 and Z3 outperform Lash on typical first-order TPTP problems (used in the 
CASC competition). However, we will present a set of first-order clausal problems on 
which Lash significantly outperforms other provers. 


Combining Semantic Tableaux 


Valentin Goranko 
Stockholm University, Sweden 


Semantic tableaux for combined logical systems are usually constructed ad hoc and the 
question of developing more general methodologies for combining tableaux is yet to be 
systematically explored. 

In this talk I will address that question and will outline a methodological approach for 
combining tableaux. I will discuss the questions of transfer of soundness, completeness, 
and termination from the components to the combined tableaux, both in general and 
in the context of some important special cases, including multi-agent epistemic and 
temporal epistemic logics. 


Proof Systems and Termination 


Rosalie Iemhoff 
Utrecht University, The Netherlands 


In the study of logics, proof systems are a useful tool, and proof systems that are ter- 
minating even more so. Termination comes in degrees, where the strongest form of 
termination arguably requires that any backwards proof search in the proof system ter- 
minates. Not every application in which a proof system is involved needs this strong 
form of termination, but some applications seem to do so. In this talk I discuss the role 
of termination in proof theory, and connect it in particular to counter model constructions 
and interpolation. 


Always Look on Both Sides of Proof: 
Syntax and Semantics as the Yin and Yang of Structural 
Proof Theory 


Roman Kuznets 
Technische Universität Wien, Austria 


Proof theory provides a purely syntactic way of reasoning, without the need to resort 
to semantics. This is especially true of internal proof calculi where proof objects are 
interpreted as formulas, as opposed to external calculi that also exploit semantic elements. 
On the other hand, tableau formalisms suggest that the distinction between pure and 
“impure” syntax, between internal and external calculi is, perhaps, more superficial 
than commonly believed. Indeed, tableaus are typically isomorphic to some internal 
sequent-like calculus, despite themselves being described in largely semantic terms. 

I argue that the choice between embracing and avoiding semantic elements is a 
false one, that the two sides of proof formalisms mutually enrich rather than oppose 
each other. As an illustration of such successful interplay, I will discuss how semantic 
intuitions have been instrumental in developing several proof formalisms, including 
those used for solving two open problems: (1) the Lyndon interpolation property for 
Gódel-Dummett Logic and (2) decidability for the intuitionistic modal logic S4. 

Supported by the Austrian Science Fund (FWF) project ByzDEL (P33600). 
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Range-Restricted and Horn Interpolation 
through Clausal Tableaux 


Christoph Wernhard®) © 


University of Potsdam, Potsdam, Germany 
info@christophwernhard.com 


Abstract. We show how variations of range-restriction and also the 
Horn property can be passed from inputs to outputs of Craig interpo- 
lation in first-order logic. The proof system is clausal tableaux, which 
stems from first-order ATP. Our results are induced by a restriction of 
the clausal tableau structure, which can be achieved in general by a proof 
transformation, also if the source proof is by resolution/paramodulation. 
Primarily addressed applications are query synthesis and reformulation 
with interpolation. Our methodical approach combines operations on 
proof structures with the immediate perspective of feasible implementa- 
tion through incorporating highly optimized first-order provers. 


1 Introduction 


We show how variations of range-restriction and also the Horn property can be 
passed from inputs to outputs of Craig interpolation in first-order logic. The 
primarily envisaged application field is synthesis and reformulation of queries 
with interpolation [5,39,56]. Basically, the sought target query R is understood 
there as the right side of a definition of a given query Q within a given background 
knowledge base K, i.e., it holds that K E- (Q — R), where the vocabulary of R 
is in a given set of permitted target symbols. In first-order logic, the formulas R 
can be characterized as the Craig interpolants of K ^ Q and 7K’ V Q', where 
K,Q are copies of K', Q' with the symbols not allowed in R replaced by fresh 
symbols [14]. Formulas R exist if and only if the entailment K AQ E- -K' v Q' 
holds. They can be constructed as Craig interpolants from given proofs of the 
entailment in a suitable calculus. 

In databases and knowledge representation, syntactic fragments of first-order 
logic ensure desirable properties, for example domain independence. Typically, 
for given K and Q in some such fragment, also R must be in some specific 
fragment to be usable as a query or as a knowledge base component. Our work 
addresses this by showing for certain such fragments how membership is passed 
on to interpolants and thus to the constructed right sides of definitions. The 


Funded by the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) 
— Project-ID 457292495. The work was supported by the North-German Supercomput- 
ing Alliance (HLRN). 
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fragment in focus here is a variant of range-restriction from [59], known as a 
rather general syntactic condition to ensure domain independence [1, p. 97]. It 
permits conversion into a shape suitable for “evaluation” by binding free and 
quantified variables successively to the members of given predicate extensions. 
Correspondingly, if the vocabulary is relational, a range-restricted formula can 
be translated into a relational algebra expression. First-order representations of 
widely-used classes of integrity constraints, such as tuple-generating dependen- 
cies, are sentences that are range-restricted in the considered sense. 

As proof system we use clausal tableaux [26,29-31,33], devised in the 1990s 
to take account of automated first-order provers that may be viewed as enu- 
merating tree-shaped proof structures, labeled with instances of input clauses.! 
Such systems include the Prolog Technology Theorem Prover [53], SETHEO [32], 
leanCoP [42,43] and CMProver [16,45,60,61]. As shown in [62], a given closed 
clausal tableau is quite well-suited as a proof structure to extract a Craig inter- 
polant. Via the translation of a resolution deduction tree [12] to a clausal tableau 
in cut normal form [31,62] this transfers also to interpolation from a given reso- 
lution/paramodulation proof. 

Since the considered notion of range-restriction is based on prenexing and 
properties of both a CNF and a DNF representation of the formula, it fits well 
with the common first-order ATP setting involving Skolemization and clausifica- 
tion and the ATP-oriented interpolation on the basis of clausal tableaux, where 
in a first stage the propositional structure of the interpolant is constructed and 
in a second stage the quantifier prefix. 

Our strengthenings of Craig interpolation are induced by a specific restriction 
of the clausal tableau structure, which we call hyper, since it relates to the proof 
structure restrictions of hyperresolution [46] and hypertableaux [2]. However, it 
is considered here for tree structures with rigid variables. A proof transformation 
that converts an arbitrary closed clausal tableau to one with the hyper property 
shows that the restriction is w.l.o.g. and, moreover, allows the prover unham- 
pered search for the closed clausal tableaux or resolution/paramodulation proof 
underlying interpolation. 


Structure of the Paper. Section 2 summarizes preliminaries, in particular inter- 
polation with clausal tableaux [62]. Our main result on strengthenings of Craig 
interpolation for range-restricted formulas is developed in Sect. 3. Section 4 dis- 
cusses Craig interpolation from a Horn formula, also combined with range- 
restriction. T'he proof transformation underlying these results is introduced in 
Sect.5. We conclude in Sect.6 with discussing related work, open issues and 
perspectives. 


' Alternate accounts and views are provided by model elimination [34] and the con- 
nection method [7,8]. 
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Proofs of nontrivial claims that are not proven in the body of the paper 
are supplemented in the preprint version [63]. An implementation with the PIE 
environment [60,61]? is in progress. 


2 Notation and Preliminaries 


2.1 Notation 


We consider formulas of first-order logic. An NNF formula is a quantifier-free 
formula built up from literals (atoms or negated atoms), truth-value constants 
T,.L, conjunction and disjunction. A CNF formula, also called clausal formula, 
is an NNF formula that is a conjunction of disjunctions (clauses) of literals. 
A DNF formula is an NNF formula that is a disjunction of conjunctions (con- 
junctive clauses) of literals. The complement of a literal L is denoted by L. An 
occurrence of a subformula in a formula has positive (negative) polarity, depend- 
ing on whether it is in the scope of an even (odd) number of possibly implicit 
occurrences of negation. Let F be a formula. Var(F) is set of its free variables. 
Vart (F) (Var (F)) is the set of its free variables with an occurrence in an atom 
with positive (negative) polarity. Fun(F’) is the set of functions occurring in it, 
including constants, regarded here throughout as 0-ary functions. Pred-(F) is 
the set of pairs (p, pol), where p is a predicate and pol € {+,—}, such that an 
atom with predicate p occurs in F with the polarity indicated by pol. Voc^ (F) is 
Fun( F) U'Pred^(F). A sentence is a formula without free variables. An NNF is 
ground if it has no variables. If S is a set of terms, we call its members S-terms. 
'The E symbol expresses semantic entailment. 


2.2 Clausal First-Order Tableaux 


A clausal tableau (briefly tableau) for a clausal formula F is a finite ordered tree 
whose nodes N with exception of the root are labeled with a literal lit(V), such 
that for each node N the disjunction of the literals of all its children in their left- 
to-right order, clause( N), is an instance of a clause in F. A branch of a tableau 
is closed iff it contains nodes with complementary literals. A node is closed iff 
all branches through it are closed. A tableau is closed iff its root is closed. A 
node is closing iff it has an ancestor with complementary literal. With a closing 
node N, a particular such ancestor is associated as target of N, written tgt(N). 
A tableau is regular iff no node has an ancestor with the same literal and is 
leaf-closing iff all closing nodes are leaves. A closed tableau that is leaf-closing is 
called leaf-closed. Tableau simplification can convert any tableau to a regular and 
leaf-closing tableau for the same clausal formula, closed iff the original tableau is 
so. Regularity is achieved by repeating the following operation [31, Sect. 2.1.3]: 
Select a node N with an ancestor that has the same literal, remove the edges 
originating in the parent of N and replace them with the edges originating in 
N. The leaf-closing property is achieved by repeatedly selecting an inner node 


? http:/ /cs.christophwernhard.com/pie. 
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N that is closing and removing the edges originating in N. All occurrences of 
variables in (the literal labels of) a tableau are free and their scope spans the 
whole tableau. That is, we consider free-variable tableaux [30, p. 158ff] with rigid 
variables [26, p. 114]. A tableau without variables is called ground. The universal 
closure of a clausal formula F is unsatisfiable iff there exists a closed clausal 
tableau for F. This holds also if clausal tableau is restricted by the properties 
ground, regular and leaf-closing in arbitrary combinations. 


2.8 Interpolation with Clausal Tableaux 


Craig’s interpolation theorem [13,15] along with Lyndon’s observation on the 
preservation of predicate polarities [35] ensures for first-order logic the existence 
of Craig-Lyndon interpolants, defined as follows. Let F, G be formulas such that 
F EG. A Craig-Lyndon interpolant of F and G is a formula H such that 
(1) F E H and H E G. (2) Voc* (H) € Voc*(F) n Voc™ (G). (3) Var(H) € 
Yar(F)nYar(G). The perspective of validating an entailment F = G by showing 
unsatisfiability of F ^ —G is reflected in the notion of reverse Craig-Lyndon 
interpolant of F and G, defined as Craig-Lyndon interpolant of F and AG. 

Following [62], our interpolant 
construction is based on a gener- 
alization of clausal tableaux where ki 
nodes have an additional side label 
that is shared by siblings and indi- 
cates whether the tableau clause is ora) la()] 
an instance of an input clause derived P 
from the formula F or of the formula 
G of the statement FAG E L under- — -— [9i — T] 
lying the reverse interpolant. Thus, à P b 
two-sided clausal tableau for clausal 
formulas F and G is a tableau for ^P) [1] q(a) [a(a)] 

F ^G whose nodes N with excep- | 

tion of the root are labeled addition- 

ally with a side side(.N) € (F, G}, such play EH 

that (1) if N and N’ are siblings, then 

side(N) = side(N’); (2) if N has a Fig. 1. A two-sided clausal tableau. 
child N” with side(N’) = F, then clause(N) is an instance of a clause in F, and 
if N has a child N’ with side( N’) = G, then clause(JV) is an instance of a clause 
in G. We also refer to the side of the children of a node N as side of clause(N). 
For side € {F, G} define pathsige( N) = Ane path and side(N’)=side lit(N’), where 
Path is the union of the set of the ancestors of N and {N}. 

Let N be a node of a leaf-closed two-sided clausal tableau. The value of 
ipol(/N) is an NNF formula, defined inductively as specified with the tables below, 
the left for the base case where N is a leaf, the right for the case where N is an 
inner node with children N,..., Nn- 
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side(N) side(tgt(.N))  ipol(.N) 
F F Ë side(.N1) ipol(.N) 
F G lit(N) F V? 1ipol(.N;) 
G F lit(V) G Aia ipol(Ni) 
G G T 


Example 1. Figure 1 shows a two-sided tableau for F = p(a) ^ (^p(a) V q(a)) 
and G = (^q(a)Vr(a))^-r(a). Side G is indicated by gray background. For each 
node the value of ipol, after truth-value simplification, is annotated in brackets. 
The clauses of the tableau are ^r(a) and —q(a) V r(a), which have side G, and 
—^p(a) V q(a) and p(a), which have side F. If N is the node shown bottom left, 
labeled with p(a), then patheg(.N) = —^p(a) ^ p(a) and path; ((N) = —r(a) ^ ^q(a). 


If No is the root of a two-sided tableaux for clausal ground formulas F 
and G, then ipol(No) is a Craig-Lyndon interpolant of F and 4G.? The CTIF 
(Clausal Tableau Interpolation for First- Order Formulas) procedure (Fig. 2) [62] 
extends this to a two-stage [9,24] (inductive construction and lifting) interpo- 
lation method for full first-order logic. It is complete (yields a Craig-Lyndon 
interpolant for all first order formulas F and G such that F E: G) under the 
assumption that the method for tableau computation in Step 3 is complete 
(yields a closed tableau for all unsatisfiable clausal formulas). Some steps leave 
room for interpolation-specific heuristics: In step 4 the choice of the terms used 
for grounding; in step 5 the choice of the side assigned to clauses that are an 
instance of both a clause in F’ and a clause in G”; and in step 7 the quantifier 
prefix, which is constrained just by a partial order. 


Example 2. Let F & Vrp(x) ^ Vx (p(x) V q(z)) and let G $Ë Va (q(x) V 
r(z)) — r(a). Clausifying F and ~G then yields F’ = p(x) ^ ^p(z) V q(x) and 
G' = 7q(x) Vr(z)^-r(a). The tableau from Fig. 1 is a leaf-closed ground tableau 
for F” and G” and we obtain q(a) as Hay». Lifting for F = {} and G = {a} yields 
the interpolant H = Vv; q(vi). 


Example 3. Let F & VzVyp(x,f(x), y) and let G & Jxp(a, x, g(z)). Clausify- 
ing yields F’ = p(a, f(x), y) and G' = —p(a, z, g(z)). We obtain p(a, f(a), g(f(a))) 
as Herp. Lifting is for F = {f} and G = {a,g} with tı = a, tg = f(a) and 
t3 = g(f(a)). It yields H = Vy dv2Vv3 p(v1, v2, vs). 


3 Interpolation and Range-Restriction 


We now develop our main result on strengthenings of Craig interpolation for 
range-restricted formulas. 


3 So far, the interpolation method is a variation of well-known methods for sequent 
systems [52,55] and analytic tableaux [20] when restricted to propositional formulas. 
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3.1 CNF and DNF with Some Assumed Syntactic Properties 


Following [59] we will consider a notion of range-restriction defined in terms of 
properties of two prenex formulas that are equivalent to the original formula, 
have both the same quantifier prefix but matrices in CNF and DNF, respectively. 


INPUT: First-order formulas F and G such that F = G. 
METHOD: 


1. Free variables to placeholder constants. Let Fe and Ge be the sentences obtained 
from F and G by replacing each free variable with a dedicated fresh constant. 

2. Skolemization and clausification. Apply there conversion to prenex form and 
second-order Skolemization independently to Fe and to —G., resulting in dis- 
joint sets of fresh Skolem functions F’,G’, clausal formulas F’,G’, and sets 
U' = Var(F"), V' = Var(G’) of variables such that 


(a) F = 37'vU'F' and =G. = 39'vy'G'. 
(b) Voc*(F") € Voc*(F;) UF’ and Voc^ (2G") C Voc^ (Ge) UG". 
(c) VU'NY'(F' AG) E L. 


In case F’ or G” contains the empty clause, exit with result H & L or H 3$ T, 
respectively. 

3. Tableau computation. Compute a leaf-closed clausal tableau for the clausal for- 
mula F'AG'. This can be obtained, for example, from a clausal tableaux prover 
for clausal first-order formulas. 

4. Tableau grounding. Instantiate all variables of the tableau with ground terms 
built up from functions in F’ AG" and possibly also fresh functions S = $1453. 
Observe that the grounded tableau is still a leaf-closed tableau for F’ ^ G”. 

5. Side assignment. Convert the ground tableau to a two-sided tableau for F’ 
and G' by attaching appropriate side labels to all nodes except the root. This 
is always possible because every clause of the tableau is an instance of a clause 
in F’ or in C”. 

6. Ground interpolant extraction. Let Hern be the value of ipol( No), where No is 
the root of the tableau. 

7. Interpolant lifting. Let F 3€ F' U (Fun(F) \ Fun(G)) U Sı and let G & g’ U 
(Fun(G) \ Fun(F)) US». Let FG stand for FUG. An FG-mazimal occurrence of 
an JG-term in a formula is an occurrence that is not within another FG-term. 
Let {ti,...,tn} be the set of the FG-terms with an JU-maximal occurrence in 
Herp, ordered such that if t; is a subterm of tj, then i < j. Let {v1,..., Un} 
be a set of fresh variables. For i € {1,...,n} define the quantifiers Q; as 3 if 
t; € F-terms and as V if t; € G-terms. Let 


def / 
A, = Qiv1 e Q; va Herv 


where H4, is obtained from Her» by replacing all AG-maximal occurrences of 
terms t; with variable v;, simultaneously for all i € {1,... n}. 

8. Placeholder constants to free variables. Let H be H. after replacing any con- 
stants that were introduced in step 1 with their corresponding variables. 


Output: Return H, a Craig-Lyndon interpolant of the input formulas F and G. 


Fig. 2. The CTIF Procedure for Craig-Lyndon Interpolation [62]. 
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Although not syntactically unique, we refer to them functionally as cnf(F) and 
dnf(F) since we only rely on specific — easy to achieve — syntactic properties that 
are stated in the following Proposition 4-6. 


Proposition 4. For all formulas F it holds that Var(cnf(F)) C Var(F); 
Yoc^ (cnf(F)) € Voc™ (F); Var(dnf(F)) € Var(F); Voc^ (dnf(F)) € Voc" (F). 


For prenex formulas F with an NNF matrix let dual(F) be the formula obtained 
from F by switching quantifiers V and 4, connectives ^ and V, truth-value con- 
stants T and l, and literals with their complement. 


Proposition 5. For all formulas F it holds that cnf(F) = dual(dnf(F)); 
dnf(F) = dual(cnf(F)); cnf( ~F) = dual(dnf(F)); dnf(F) = dual(cnf(F)). 


Proposition 6. Let Fi, Fo, ..., F be NNF formulas. Then (i) Each clause in 
cnf(A7 4 F;) is in some cnf(F;). (ii) Each conjunctive clause in dnf(V7 F;) 
is in some dnf(F;). (ii) Formulas Fj that are literals are in each clause in 
cnf(V; ., Fi). (iv) Formulas F; that are literals are in each conjunctive clause 
in dnf (N; Fi). (v) If S is a set of variables such that for alli € {1,...,n} and 
clauses C in cnf(F;) it holds that Var(C) à S C Var. (C), then for all clauses C 
in cnf (V7, F;) it holds that Var(C)NS € Var (C). (vi) If S is a set of variables 
such that for alli € {1,...,n} and conjunctive clauses D in dnf(F;) it holds that 
Var(D) N S C Var* (D), then for all conjunctive clauses D in dnf( A 4 F;) it 
holds that Var(D) n S C Var* (D). 


3.2 Used Notions of Range-Restriction 


The following definition renders the characteristics of the range-restricted for- 
mulas as considered by Van Gelder and Topor in [59, Theorem 7.2] (except for 
the special consideration of equality in [59]). 


Definition 7. A formula F with free variables X is called VG T-range-restricted 
if cnf(F) = Q Mc and dnf(F) = Q Mp, where Q is a quantifier prefix (the same 
in both formulas) upon universally quantified variables U and existentially quan- 
tified variables £ (in arbitrary order), and Mc, Mp are quantifier-free formulas 
in CNF and DNF, respectively, such that 


1. For all clauses C in Mc it holds that Var(C) NU C Var. (C). 
2. For all conjunctive clauses D in Mp it holds that Var(D) N € C Yar^ (D). 
3. For all conjunctive clauses D in Mp it holds that ¥ C Var ^ (D). 


For VGT-range-restricted formulas it is shown in [59] that these can be translated 
via two intermediate formula classes to a relational algebra expression. Related 
earlier results include [17, 18, 40,41]. The constraint on universal variables is also 
useful on its own as a weaker variation of range-restriction, defined as follows. 


Definition 8. A formula F is called U-range-restricted if cnf(F) — Q Mc where 
Q is a quantifier prefix upon of the universally quantified variables U (there may 
also be existentially quantified variables in Q) and Mc is a quantifier-free formula 
in CNF such that for all clauses C in Mc it holds that Var(C) NU C Var. (C). 
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For formulas without free variables, U-range-restriction and VGT-range-restric- 
tion are related as follows. 


Proposition 9. Let F be a sentence. Then (i) F is VGT-range-restricted iff 
F and nF are both U-range-restricted. (ii) If F is universal (i.e., in prenex 
form with only universal quantifiers), then F is VGT-range-restricted iff F is U- 
range-restricted. (iii) If F is existential (i.e., in prenex form with only existential 
quantifiers), then F is VGT-range-restricted iff ^F is U-range-restricted. 


U-range-restriction covers well-known restrictions of knowledge bases and 
inputs of bottom-up calculi for first-order logic and fragments of it that are nat- 
urally represented by clausal formulas [3]. First-order representations of tuple- 
generating dependencies (TGDs) are VGT-range-restricted sentences: conjunc- 
tions of sentences of the form VV) (A(X Y) — IZ B(VZ)), where A is a possibly 
empty conjunction of relational atoms, B is a nonempty conjunction of relational 
atoms and the free variables of A and B are exactly those in the sequences VY 
and YZ, respectively. Also certain generalizations, e.g., to disjunctive TGDs, 
where B is built up from atoms, ^ and V, are VGT-range-restricted. 


3.3 Results on Range-Restricted Interpolation 


'The following theorem shows three variations for obtaining range-restricted inter- 
polants from range-restricted inputs. 


Theorem 10 (Interpolation and Range-Restriction). Let F and G be 
formulas such that F = G. 


(i) If F is U-range-restricted, then there exists a U-range-restricted Craig- 
Lyndon interpolant H of F and G. Moreover, H can be effectively con- 
structed from a clausal tableau proof of F = G. 

(ii) If F and G are sentences such that F and =G are U-range-restricted, then 
there exists a VGT-range-restricted Craig-Lyndon interpolant H of F and 
G. Moreover, H can be effectively constructed from a clausal tableau proof 
of FEG. 

(iii) If F and =G are U-range-restricted, Var(F) = Var(G) = X, and (1) no 
clause in cnf(F) has only negative literals; (2) for all clauses C in cnf(G) 
with only negative literals it holds that X C Var" (C); (3) for all clauses C 
in cnf(5G) it holds that Var(C) n X C Var (C), then there exists a VGT- 
range-restricted Craig-Lyndon interpolant H of F and G. Moreover, H can 
be effectively constructed from a clausal tableau proof of F E- G. 


Observe that Theorem 10.i requires range-restriction only for F, the first of 
the two interpolation arguments. Theorem 10.iii aims at applications for query 
reformulation that in a basic form are expressed as interpolation task for input 
formulas F = K ^ Q(X) and G = ~K’ v Q'(X). Here K expresses background 
knowledge and constraints as a U-range-restricted sentence and Q(X) represents 
a query to be reformulated, with free variables X. Formulas K’ and Q’ are copies 
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of K and Q, respectively, where predicates not allowed in the interpolant are 
replaced by primed versions. If the query Q is Boolean, i.e., Y is empty, and 
Q is VGT-range-restricted, then Theorem 10.ii already suffices to justify the 
construction of a VG T-range-restricted interpolant. If X is not empty, the fine- 
print preconditions of Theorem 10.iii come into play. Precondition (1) requires 
that cnf( X) does not have a clause with only negative literals, which is satisfied 
if K represents TGDs. Also cnf(Q) is not allowed to have a clause with only 
negative literals. By precondition (2) all the free variables ¥ must occur in all 
those clauses of cnf(^Q) that only have negative literals, which follows if Q meets 
condition (3.) of the VG T-range-restriction (Definition 7). By precondition (3) 
for all clauses C in cnf(3Q) it must hold that Var(C)nX C Var~ (C). A sufficient 
condition for Q to meet all these preconditions is that dnf(Q) has a purely 
existential quantifier prefix and a matrix with only positive literals where each 
query variable, i.e., member of X', occurs in each conjunctive clause. 


3.4 Proving Range-Restricted Interpolation — The Hyper Property 


We will prove Theorem 10 by showing how the claimed interpolants can be 
obtained with CTIF. As a preparatory step we match items from the specification 
of CTIF (Fig.2) with the constraints of range-restriction. The following notion 
gathers intermediate formulas and sets of symbols of CTIF. 


Definition 11. An interpolation context is a tuple (F,G, F',G', F,0,£,U, 
C, V), where F,G are formulas, F', G' are clausal formulas, C is a set of con- 
stants, F,G are sets of functions, and €,U,V are sets of terms such that the 
following holds. (i) F } G. (ii) Let F, and G. be F and G after replacing each 
free variable with a dedicated fresh constant. Let C be those constants that were 
used there to replace a variable that occurs in both F and G. F' and G" are the 
matrices of cnf(F.) and of cnf(G.), after replacing existentially quantified vari- 
ables with Skolem terms. (iii) F is the union of the set of the Skolem functions 
introduced for existential quantifiers of cnf(F.), the set of functions occurring 
in Fe but not in Ge and, possibly, further functions freshly introduced in the 
grounding step of CTIF. Analogously, G is the union of the set of the Skolem 
functions introduced for cnf(^G.), the set of functions occurring in Ge but not 
in Fe, and, possibly, further functions introduced in grounding. (iv) € and U are 
the sets of all terms with outermost function symbol in F and C, respectively. 
(v) VisEUUUC. 


The following statements about an interpolation context are easy to infer. 


Lemma 12. Let (F,G, F',G', F,0,£,U,C, V) be an interpolation context. Then 
(i) No member of G occurs in F'. (ii) No member of F occurs in G'. (iii) If F is 
U-range-restricted, then for all clauses C in F' it holds that if a variable occurs 
in C in a position that is not within an € -term it occurs in C in a negative literal, 
in a position that is not within an £-term. (iv) If 2G is U-range-restricted, then 
for all clauses C in G' it holds that if a variable occurs in C in a position that 
is not within an U-term, it occurs in C in a negative literal, in a position that is 
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not within anU-term. (v) If G satisfies condition (3) of Theorem 10.iii, then for 
all clauses C in G' it holds that any member of C that occurs in C in a position 
that is not within an U-term occurs in C in a negative literal in a position that 
is not within an U-term. 


CTIF involves conversion of terms to variables at lifting (step 7) and at 
replacing placeholder constants (step 8). We introduce a notation to identify 
those terms that will be converted there to variables. It mimics the notation for 
the set of free variables of a formula but applies to a set of terms, those with 
occurrences that are “maximal” with respect to a given set S of terms, i.e., are 
not within another term from S. For NNF formulas F define S-Mazx(F) as the 
set of S-terms that occur in F in a position other than as subterm of another 
S-term. Define S-Mazrt(F) (S-Mar™ (F), respectively) as the set of S-terms 
that occur in F in a positive (negative, respectively) literal in a position other 
than as subterm of another S-term. We can now conclude from Lemma 12 the 
following properties of instances of clauses used for interpolant construction. 


Lemma 13. Let (F,G, F', G',.F,0,£,U, C, V) be an interpolation context. Then 


(i) If F is U-range-restricted, then for all instances C of a clause in F” it holds 
that V-Maz(C) AU € V-Max (C). 

(ii) If =G is U-range-restricted, then for all instances C of a clause in G' it 
holds that V-Maxz(C) NE € Y-Maz' (C). 

(ii) If condition (1) of Theorem 10.iii holds, then no instance C of a clause in 
F' has only negative literals. 

(iv) If condition (2) of Theorem 10.iii holds, then for all instances C of a clause 
in G' with only negative literals it holds that C C V-Maz' (C). 

(v) If 4G is U-range-restricted and condition (3) of Theorem 10.iii holds, then 
for all instances C of a clause in G' it holds that V-Maz(C) n C € 
Y-Maz (C). 


The following proposition adapts Props. 6.v and 6.vi to S- Maz. 


Proposition 14. Let Fi, Fo, ...,F, be NNF formulas and let T be a set of 
terms. Then (i) If S is a set of terms such that for all i € {1,...,n} and 
clauses C in cnf(F;) it holds that T-Maz(C) n S C T-Max (C), then for all 
clauses C in cnf (V; , Fi) it holds that T-Maz(C) n S C T-Maz (C). (ii) If 
S is a set of terms such that for alli € {1,...,n} and conjunctive clauses D 
in dnf(F;) it holds that T-Maz(D) A S C T-Maz* (D), then for all conjunctive 
clauses D in dnf( A7 F;) it holds that T-Maz(D) n S C T-Maz" (D). 


The key to obtain range-restricted interpolants from CTIF is that the tableau 
must have a specific form, which we call hyper, as it resembles proofs by hyper- 
resolution [46] and hypertableaux [2]. 


Definition 15. A clausal tableau is called Ayper if the nodes labeled with a 
negative literal are exactly the leaf nodes. 
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While hyperresolution and related approaches, e.g., [2,3,11,36,46], consider 
DAG-shaped proofs with non-rigid variables, aiming at interpolant extraction 
we consider the hyper property for tree-shaped proofs with rigid variables. The 
hyper requirement is w.l.o.g. because arbitrary closed clausal tableaux can be 
converted to tableaux with the hyper property, as we will see in Sect. 5. 

The proof of Theorem 10 is based on three properties that invariantly hold 
for all nodes, or for all inner nodes, respectively, stated in the following lemma. 


Lemma 16. Let (F,G, F’,G’,F,G,E,U,C,V) be an interpolation context and 
assume a leaf-closed and hyper two-sided clausal ground tableau for F' and G'. 


(i) If F is U-range-restricted, then for all nodes N the property INVc(N) defined 
as follows holds: INVc(N) € For all clauses C in cnf(ipol(N)) it holds that 
Y-Maz(C) NU € V-Max” (C) U Y-Maz* (pathe(N)). 

(ii) If 5G is U-range-restricted, then for all nodes N the property INVp(N) 
defined as follows holds: INVp(N) ** For all conjunctive clauses 
D in dnf(ipol(N)) it holds that V-Maz(D) NE C Y-Maz*(D) U 
Y-M az * (path; (N)). 

(iii) If 5G is U-range-restricted and conditions (1)-(3) Theorem 10.iii hold, 
then for all inner nodes N the property INVx(N) defined as follows holds: 
INVx(N)  3* For all conjunctive clauses D in dnf(ipol(.N)) it holds that 
C € Y-Maz * (D) U Y-Maz * (path; (N)). 


Each of Lemma 16.i, 16.ii and 16.iii can be proven independently by an 
induction on the tableau structure, but for the same tableau, such that the 
properties claimed by them can be combined. In proving these three sub-lemmas 
it is sufficient to use their respective preconditions only to justify the application 
of matching sub-lemmas of Lemma 13. That lemma might thus be seen as an 
abstract interface that delivers everything that depends on these preconditions 
and is relevant for Theorem 10. 

We show here the proof of Lemma 16.i. Lemma 16.ii can be proven in full 
analogy. The proof of Lemma 16.iii is deferred to [63, App. A]. In general, recall 
that the tableau in Lemma 16 is a two-sided tableau for F’ and G” that is leaf- 
closed and hyper. Hence literal labels of leaves are negative, while those of inner 
nodes are positive. All tableau clauses are ground and with an associated side 
in {F,G} such that a tableau clause with side F is an instance of a clause in F” 
and one with side G is an instance of a clause in C”. 


Proof (Lemma 16.1). By induction on the tableau structure. 

Base case where N is a leaf. If N and tgt(N) have the same side, then 
ipol(N) is a truth value constant, hence V-Maz(ipol(N)) = @, implying 
INVc(N). If N has side F and tgt(N) has side G, then ipol(N) = lit(N), 
which, because N is a leaf, is a negative literal. Thus V-Maz(ipol(N)) = 
Y-Mtax' (ipol(.N)), which implies INVc(V). If N has side G and tgt(V) has side 
F, then ipol(.N) = lit(tgt(/N)), which, because N is a leaf, is a positive literal. 
Thus Y-Maz(ipol(.N)) C Y-Maz* (pathe(.N)), implying INVc(N). 
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Induction Step. Let N1,..., Nn, where 1 € n, be the children of N. Assume as 
induction hypothesis that for à € {1,...,n} it holds that INVc(N;). Consider 
the case where the side of the children is F. Then 


(1) ipol(N) = V? ipol(N;). 


Assume that INVc(N) does not hold. Then there exists a clause K in cnf(ipol(N)) 
and a term t such that (2) t € U; (3) t € V-Maz(K); (4) t € V-Maz (K); (5) 
t ¢ V-Maz* (path ((N)). To derive a contradiction, we first show that given (2), 
(4) and (5) it holds that 


(6) For all children N’ of N: t ¢ V-Max” (pathe(N’)). 


Statement (6) can be proven as follows. Assume to the contrary that there is 
a child N’ of N such that t € V-Maz" (pathe(.N")). By (5) it follows that 
t € V-Maz(lit(.N')) and lit(N’) is positive. By Lemma 13.i and (2) there is 
another child N” of N such that lit(.N") is negative and t € V-Maz(lit(N”)). 
Since the tableau is closed, it follows from (5) that tgt(N") has side G, which 
implies that ipol( N”) = lit( N”). Hence t € V-Mtaz (ipol(.N")). Since ipol( N”) is 
a negative literal and a disjunct of ipol(N), it follows from (1) and Prop. 6.iii 
that for all clauses C in cnf(ipol(/N)) it holds that t € V-Max” (C), contradicting 
assumption (4). Hence (6) must hold. 

From (6), (2) and the induction hypothesis it follows that for all chil- 
dren N’ of N and clauses C" in cnf(ipol(.N")) it holds that V-Mazx(C’) n (t) € 
Y-Mtax (C"). Hence, by (1) and Prop. 14.i it follows that for all clauses C 
in cnf(ipol(V)) it holds that V-Maz(C) n (t) € V-Maz (C). This, however, 
contradicts our assumption of the existence of a clause K in cnf(ipol(/N)) that 
satisfies (3) and (4). Hence INVc(N) must hold. 

We conclude the proof of the induction step for INVc(N) by considering the 
case where the side of the children of N is G. Then 


(7) ipol(N) = AL, ipol(N;). 
(8) For all children N’ of N: pathe(.N) = pathg(N"). 


INVc(N) follows from the induction hypothesis, (8), (7) and Prop. 6.i. 


The invariant properties of tableau nodes shown in Lemmas 16.i-16.iii apply 
in particular to the tableau root. We now apply this to prove Theorem 10. 


Proof (Theorem 10). Interpolants with the stated properties are obtained with 
CTIF, assuming w.l.o.g. that the CNF computed in step 2 meets the requirement 
of Sect. 3.1, and that the closed clausal tableau computed in step 3 is leaf-closed 
and has the hyper property. That CTIF constructs a Craig-Lyndon interpolant 
has been shown in [62]. It remains to show the further claimed properties of the 
interpolant. Let (F,G,F’,G’,F,G,E,U,C,V) be the interpolation context for 
the input formulas F and G and let No be the root of the tableau computed 
in step 3. Since No is the root, pathe(No) = pathg(No) = T and thus the 
expressions V-M ax * (pathe(No)) and Y-M az * (pathg(No)) in the specifications 
of INVc (No), INVp (No) and INVx (No) all denote the empty set. The claims made 
in the particular sub-theorems can then be shown as follows. 
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(10.1) By Lemma 16.i it follows that INVc(No). Hence, for all clauses C in 
cnf(ipol(No)) it holds that V-Maz(C)NU C V-Max” (C). It follows that the 
result of the interpolant lifting (step 7) of CTIF applied to ipol(No) is U-range- 
restricted. Placeholder constant replacement (step 8) does not alter this. 

(10.11) As for Theorem 10.i it follows that for all clauses C in cnf(ipol(No)) 
it holds that V-Maz(C) NU € V-Max” (C). By Lemma 16.ii it follows that 
INVp(No). Hence, for all conjunctive clauses D in dnf(ipol(No)) it holds that 
V-Maz(D)n£& C Y-Maz^(D). It follows that the result of the interpolant 
lifting of CTIF applied to ipol(.No) is U-range-restricted. Since F and G have no 
free variables, placeholder constant replacement has no effect. 

(10.iii) As for Theorem 10.ii it follows that for all clauses C in cnf(ipol(No)) 
it holds that V-Maz(C)NU € V-Max” (C) and for all conjunctive clauses D in 
dnf(ipol(.No)) it holds that V-Mazr(D)N E C Y-Maz*(D). By Lemma 16.iii it 
follows that INVx(No). Hence, for all conjunctive clauses D in dnf(ipol(No)) it 
holds that C C V-Maz * (D). It follows that the result of the interpolant lifting 
of CTIF applied to ipol(.No) followed by placeholder constant replacement, now 
applied to C, is VGT-range-restricted. 


4 Horn Interpolation 


A Horn clause is a clause with at most one positive literal. A Horn formula 
is built up from Horn clauses with the connectives A, 4 and V. Horn formulas 
are important in countless theoretical and practical respects. Our interpolation 
method on the basis of clausal tableaux with the hyper property can be applied 
to obtain a Horn interpolant under the precondition that the first argument 
formula F of the interpolation problem is Horn. The following theorem makes 
this precise. It can be proven by an induction on the structure of a clausal tableau 
with the hyper property (see [63, App. B]). 


Theorem 17 (Interpolation from a Horn Formula). Let F be a Horn 
formula and let G be a formula such that F = G. Then there exists a Craig- 
Lyndon interpolant H of F and G that is a Horn formula. Moreover, H can be 
effectively constructed from a clausal tableau proof of F = G. 


An apparently weaker property than Theorem 17 has been shown in (38, 8 4] 
with techniques from model theory: For two universal Horn formulas F and G 
there exists a universal Horn formula that is like a Craig interpolant, except 
that function symbols are not constrained. A universal Horn formula is there a 
prenex formula with only universal quantifiers and a Horn matrix. For CTIF, 
the corresponding strengthening of the interpolant to a universal formula can be 
read-off from the specification of interpolant lifting (step 7 in Fig. 2). 

The following corollary shows that Theorem 17 can be combined with The- 
orem 10 to obtain interpolants that are both Horn and range-restricted. 


Corollary 18 (Range-Restricted Horn Interpolants).  Theorems 10.i, 
10.01 and 10. can be strengthened: If F is a Horn formula, then there exists 
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a Craig-Lyndon interpolant H with the properties shown in the respective theo- 
rem and the additional property that it is Horn. Moreover, H can be effectively 
constructed from a clausal tableau proof of F = G. 


Proof. Can be shown by combining the proof of Theorem 10.i, 10.ii and 10.iii , 
respectively, with the proof of interpolation from a Horn sentence, Theorem 17. 
The combined proofs are based on inductions on the same closed tableau with 
the hyper property. 


5 Obtaining Proofs with the Hyper Property 


Our new interpolation theorems, Theorems 10 and 17, depend on the hyper 
property of the underlying closed clausal tableaux from which interpolants are 
extracted. We present a proof transformation that converts any closed clausal 
tableau to one with the hyper property. The transformation can be applied to 
a clausal tableau as obtained directly from a clausal tableaux prover. Moreover, 
it can be also be indirectly applied to a resolution proof. To this end, the reso- 
lution deduction tree [12] of the binary resolution proof is first translated to a 
closed clausal ground tableau in cut normal form [31, Sect. 7.22]. There the inner 
clauses are atomic cuts, tautologies of the form —p(ti,...,t4) V p(ti,..., t4) or 
p(ti,..., 04) V ap(ti,...,tn), corresponding to literals upon which a (tree) res- 
olution step has been performed. Clauses of nodes whose children are leaves 
are instances of input clauses. Our hyper conversion can then be applied to the 
tableau in cut normal form. It is easy to see that a regular leaf-closed tableau 
with the hyper property can not have atomic cuts. Hence the conversion might 
be viewed as an elimination method for these cuts. 

We specify the hyper conversion in Fig.3 as a procedure that destructively 
manipulates a tableau. A fresh copy of an ordered tree T' is there an ordered 
tree T" with fresh nodes and edges, related to T' through a bijection c such that 
any node N of T has the same labels (literal label and side label) as node c(.N) 
of T" and such that the i-th edge originating in node N of T ends in node M if 
and only if the i-th edge originating in node c(N) of T" ends in node c(M). The 
procedure is performed as an iteration that in each round chooses an inner node 
with negative literal label and then modifies the tableau. Hence, at termination 
there is no inner node with negative literal, which means that the tableau is 
hyper. Termination of the procedure can be shown with a measure that strictly 
decreases in each round (Prop. 20 in [63, App. C]). Figures 4 and 5 show example 
applications of the procedure. 

Since the hyper conversion procedure copies parts of subtrees it is not a 
polynomial operation.^ To get an idea of its practical feasibility, we experimented 
with an unbiased set of proofs of miscellaneous problems. For this we took those 
112 CASC-J11 [54] problems that could be proven with Prover9 [37] in 400s per 


^ A thorough complexity analysis should take calculus- or strategy-dependent proper- 
ties of the input proofs into account. And possibly also the blow-up from resolution 
to tree resolution underlying the cut normal form tableaux. 
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INPUT: A closed clausal tableau. 


METHOD: Simplify the tableau to leaf-closing and regular form (Sect. 2.2). 
Repeat the following operations until the resulting tableau is hyper. 


1. Let N' be the first node visited in pre-order with a child that is an inner 
node with a negative literal label. Let N be the leftmost such child. 

2. Create a fresh copy U of the subtree rooted at N'. In U remove the edges 

that originate in the node corresponding to N. 

Replace the edges originating in N' with the edges originating in N. 

4. For each leaf descendant M of N’ with lit(.M) = lit(.N): Create a fresh 
copy U' of U. Change the origin of the edges originating in the root of 
U' to M. 

5. Simplify the tableau to leaf-closing and regular form (Sect. 2.2). 


e 


OuTPUT: A leaf-closed, regular and hyper clausal tableau whose clauses are 
clauses of the input tableau. 


Fig. 3. The hyper conversion proof transformation procedure. 


Fig. 4. Hyper conversion of a closed clausal tableau in two rounds. 


X FÉ X simp / N | simp | 
^q q = op p => p p > p = p 
J/\ | le EUN MT FN /N 
aP P q P P q P œP q P P —p q 
LJ /N | / \ | 
P œP q n: q ^q œP q =q 
* t 


Fig. 5. Hyper conversion of a closed clausal tableau in cut normal form in two rounds. 
For each round the result after procedure steps 1—4 is shown and then the result after 
step 5, simplification, applied here to achieve regularity. 
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problem, including a basic proof conversion with Prover9’s tool Prooftrans.? The 
hyper conversion succeeded on 107 (or 96%) of these, given 400s timeout per 
proof, where the actual median of used time was only 0.01s. It was applied to 
a tableau in cut normal form that represents the proof tree of Prover9’s proof. 
The two intermediate steps, translation of paramodulation to binary resolution 
and expansion to cut normal form, succeeded in fractions of a second, except 
for one case where the expansion took 121s and two cases where it failed due 
to memory exhaustion. The hyper conversion then failed in three further cases. 
For all except two proofs the hyper conversion reduced the proof size, where the 
overall median of the size ratio hyper-to-input was 0.39. See [63, App. D] for 
details. 


6 Conclusion 


We conclude with discussing related work, open issues and perspectives. Our 
interpolation method CTIF [62] is complete for first-order logic with func- 
tion symbols. Vampire's native interpolation [22,23], targeted at verification, 
is like all local methods incomplete [28]. Princess [10,47] implements interpola- 
tion with a sequent calculus that supports theories for verification and permits 
uninterpreted predicates and functions. Suitable proofs for our approach can 
currently be obtained from CMProver (clausal tableaux) and Prover9 (resolu- 
tion/paramodulation). With optimized settings, Vampire [27] and E [49] as of 
today only output proofs with gaps. This seems to improve [48] or might be 
overcome by re-proving with Prover9 using lemmas from the more powerful sys- 
tems. 

So far we did not address special handling of equality in the context of 
range-restriction, a topic on its own, e.g., [3,59]. We treat it as predicate, with 
axioms for reflexivity, symmetry, transitivity and substitutivity. CTIF works 
smoothly with these, respecting polarity constraints of equality in interpolants 
[62, Sect. 10.4]. With exception of reflexivity these axioms are U-range-restricted. 
We do not interfere with the provers’ equality handling and just translate in fin- 
ished proofs paramodulation into binary resolution with substitutivity axioms. 

'The potential bottleneck of conversion to clausal form in CTIF may be reme- 
died with structure-preserving (aka definitional) normal forms [19,44,50,58]. 

Our hyper property might be of interest for proof presentation and exchange, 
since it gives the proof tree a constrained shape and in experiments often short- 
ens it. Like hyperresolution and hypertableaux it can be generalized to take a 
"semantics" into account [51] [12, Chap. 6] [26, Sect. 4.5]. To shorten interpolants, 
it might be combined with proof reductions (e.g., [64]). 

For query reformulation, interpolation on the basis of general first-order 
ATP was so far hardly considered. Most methods are sequent calculi [6,56] 
or analytic tableaux systems [5,21,25,57]. Experiments with ATP systems and 
propositional inputs indicate that requirements are quite different from those 


5 On a Linux notebook with 12th Gen Intel® Core™ i7-1260P CPU and 32 GB RAM. 
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in verification [4]. An implemented system [25,57] uses analytic tableaux with 
dedicated refinements for enumerating alternate proofs /interpolants correspond- 
ing to query plans for heuristic choice. In [5] the focus is on interpolants that 
are sentences respecting binding patterns, which, like range-restriction, ensures 
database evaluability. Our interpolation theorems show fine-grained conditions 
for passing variations of range-restriction and the Horn property on to inter- 
polants. Matching these with the many formula classes considered in knowledge 
representation and databases is an issue for future work. A further open topic 
is adapting recent synthesis techniques for nested relations [6] to the clausal 
tableaux proof system. 

Methodically, we exemplified a way to approach operations on proof struc- 
tures while taking efficient automated first-order provers into account. Feasible 
implementations are brought within reach, for practical application and also for 
validating abstract claims and conjectures with scrutiny. The prover is a black 
box, given freedom on optimizations, strategy and even calculus. For interfacing, 
the overall setting incorporates clausification and Skolemization. Requirements 
on the proof structure do not hamper proof search, but are ensured by transfor- 
mations applied to proofs returned by the efficient systems. 


Acknowledgments. The author thanks Michael Benedikt for bringing the subtleties 
of range-restriction in databases to attention, Cécilia Pradic for insights into subtleties 
of proof theory, and anonymous reviewers for helpful suggestions to improve the pre- 
sentation. 
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Abstract. We show that tableau methods for satisfiability in non- 
classical logics can be supported naturally in SMT solving via the frame- 
work of user-propagators. By way of demonstration, we implement the 
description logic ALC in the Z3 SMT solver and show that working with 
user-propagators allows us to significantly outperform encodings to first- 
order logic with relatively little effort. We promote user-propagators for 
creating solvers for non-classical logics based on tableau calculi. 


Keywords: SMT - Non-Classical Logics * User-Propagators + 
Tableaux 


1 Introduction 


Satisfiability modulo theory (SMT) solvers, e.g. [4,14,29], mostly implement 
CDCL(7) [6,27] to combine propositional satisfiability (SAT) solving with 
theory-specific decision procedures. Due to the modular nature of the under- 
lying CDCL(T) algorithm, not only can SMT solvers reason in combinations of 
theories, but it is even possible to add and control custom first-order theories by 
attaching new decision procedures, as recently introduced in the user-propagator 
framework [8]. The underlying logic in the SMT solving community is classical 
first-order logic. When moving towards non-classical logics, such as modal or 
description logics [2,9,21], tableau calculi provide common ground [13]. The 
resulting proof procedures behave very differently to SM'T solvers [16,22]. 

In this paper, we argue that it is time to join forces. We show that tableau 
methods can be integrated naturally into SMT solving (Sect.3). In so doing, 
we promote user-propagators [8] for guiding non-classical reasoning within SMT 
solving. We demonstrate our work within the Z3 SMT solver [29] and show that 
this approach outperforms two standard Z3 implementations based on quan- 
tification (Sect. 4). Finally, we discuss an alternative encoding for non-boolean 
based logics capable of dealing with explicit non-containment (Sect. 5). 
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Related Work. SAT/SMT solving driven by instantiation rules from modal and 
description logic tableaux have been investigated [1, 20,33], as has porting classi- 
cal tableau rules to SMT [10], as has intuitionistic logic [12,15]. Our work applies 
user propagation as a framework for implementing non-classical logics, but also 
for theories that have tableau rules, such as strings [26] or finite sets [3]. Met- 
TeL 2 [37,38] can automatically synthesize solvers from tableau rules expressed 
in a domain-specific input language: complex features that cannot be expressed 
in the input language can be implemented by manually changing the output 
program generated by the tool. 

Another approach to non-classical logics translates non-classical input to 
SAT/SMT [11,23], first-order or higher-order logic [18,19,31,32,35,36] via a 
shallow embedding. After translation, a SAT/SMT solver or automatic theorem 
provers (ATPs) can be used for reasoning. ATPs typically work poorly esspe- 
cially on satisfiable instances from such translations [25,39,40]. Solvers do not 
usually take into account meta-logical properties of the considered non-classical 
logic. If at all, such properties are communicated to a solver via further lem- 
mas or fine-tuning the solver’s configuration. Our approach allows us to directly 
encode expert knowledge of the considered logic. Additionally, our approach 
allows reasoning in multiple non-classical logics simultaneously and supports 
theory reasoning. 


2 Background and Challenges 


Background. We assume familiarity with basics of classical first-order logic [34], 
SMT solving [7] , and the description logic ALC [2]. To avoid confusion with 
first-order quantifiers, we use modal syntax to write ALC formulas y as 


gu=T|Al 7g] ¢1A Yo | Opp 


where A is a (theory!) atom and r a modality/role. The logical connectives =>, 
^, and L are defined as usual. The modal operator ©,. is defined as the dual of 
r- We assume a problem in ALC is given by a knowledge base (T Box, ABoz). 
Elements in T Boz are of the form global(y)? and are intended to be true in all 
worlds. Elements in ABoz are of the form w; : p, asserting “p holds in world 
wj"; Or ry : (Wi, wj), asserting “rę relates worlds w; and wj". In case no ABor 
is given, we assume the existence of an implicit world wo. The truth-value of a 
formula ọ under such a Kripke interpretation is given as in [2]. 


SMT Challenges for First- Order Translation of Description Logics. We motivate 
our work by considering the ALC knowledge base 


T Box = (global(O.(.A ^ 0,—A))]). (1) 


1 this is an addition to the classical definition of ALC. 
? we write the more usual form yı E q» as global(y1 — 2). 
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rule: Some conditions Pi,..., Pn 
signi ı : gia € L(w1,1) doe Sign : Qni € L(Wn,1) 
Signim, : P1,mı € £(w1,mi) mE SigTin,m, : Qnm, € L(Wn,mn) 


Fig. 1. Abstract tableau calculus rule. 


One may reason about this formula by (i) translating it into classical first-order 
logic via the standard translation [9]; and (ii) using a decision procedure handling 
uninterpreted functions and quantifiers to establish satisfiability of the translated 
formula. In particular, step (i) translates (1) into the first-order formula 


Va(dy(reach’ (x,y) ^ A(y) ^ dz(reach"(y, z) ^ 2A(z)))) (2) 


where reach" is an uninterpreted function symbol. Then, in step (ii) SMT solv- 
ing over (2) instantiates the universally-quantified variable z with wo, using for 
example model-based quantifier instantiation (MBQI) [17]. Skolemization intro- 
duces two new constants t»; and we, which results in the quantifier-free instance: 


reach" (wo, w1) ^ reach" (w1, w2) ^ A(w1) ^ 7A(wa), (3) 
from which the partial interpretation 
reach" (x,y): if (((z = wg ^y = w1) V (zx = wi Ay = w2))) then T else «. (4) 


can be deduced. The symbol * is undetermined and represents an arbitrary 
Boolean value. Assume that the SMT solver sets * to L in order to complete the 
partial model (4) for checking (2): As the solver cannot derive equalities among 
the world constants wo, w1, W2, the solver has to check all three constants with 
respect to the universal quantifier of (2). As wj and wə violate the universal 
quantifier, further constants are generated by Skolemization, but (2) remains 
violated and the sequence of MBQI steps repeat indefinitely. Choosing T for 
* avoids such failure, but increases the burden of SMT solving, as the solver 
must consider all potential relations among all constants (here, wo, wı and we) 
and eliminate such relations stepwise again as they lead to conflicts. Randomly 
choosing T or L for completing the partial model (4) of (2) is not a solution 
either, as it combines the disadvantages of both approaches. 


3 Tableau as a Decision Procedure in CDCL(T) 


Addressing the above challenges, we advocate user-propagators for tailored SMT 
solving, providing efficient implementations of custom tableau reasoners. We 
propose using the lemma generation process of CDCL(7), explained below, to 
simulate rule application of tableau calculi. 

In a nutshell, the CDCL(T) infrastructure [6] introduces fresh Boolean vari- 
ables to name theory atoms of an input formula; the resulting propositional 
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~ rule : 1:9 E€ L(w) ^ rule : 0: ^e € L(w) 
0: ye £(w) 1: pe L(w) 
Arule: 1:giAy2€L(w) A rule: 0: p1 A p2 € L(w) and 0: qi, po é L(w) 
1: pı € £(w) 0: pı € L(w) 0: p2 € £(w) 
1:92 € £(w) 
rule : 1: Ory € £(wi) and 1: r(w;) € £(wi) and w; not blocked 
1: y € £(w;) 


rule : 0: Oro € £(w;) and 3w;(1:r(w;) € £(wi) ^ v € £(w;)) and w; not blocked 
0: € £(wj) with fresh wj 
1: r(w;) € £(wi) 


global rule : 1: global(y) € £,w not blocked, and w occuring in some L(w’) 
1: ge £(w) 
individual rule : 1:(w:g)ec reach rule : 1:(r:(wi,w;))ec£ 
1:g€ £(w) 1: r(w;) E€ £(wi) 


with w being blocked iff there is a (transitive) predecessor pred such that 
L(w) C L(pred) 


Fig. 2. Rules for the ALC Description Logic. 


skeleton is then solved by an ordinary SAT solver. If a propositional model is 
found, theory solvers are asked if the model is correct with respect to theory 
atoms. These specialized procedures may introduce further “lemma” formulas 
to the Boolean abstraction or report conflicts directly, forcing the SAT solver 
to “correct” the Boolean interpretation. This is repeated until all theory solvers 
agree on the Boolean assignment or the Boolean abstraction becomes unsatisfi- 
able. 


User-Propagators in CDCL(7) with Tableau Methods. Our solution 
builds a custom reasoner using the user-propagator framework [8]. Algorithm 1 
shows underlined parts relevant for the following discussion. The custom rea- 
soner is implemented by providing the methods push, pop, fixed and final in 
some programming language. The method abstr(f) is a method to be applied 
a priori solving. All other methods are those of the SMT solver. 

We can simulate a tableau calculus whose rules are of the abstract form 
shown in Fig.1. We use signed formulas of the form sign : 0(%), where sign 
is a member of a fixed set, usually truth values, and o is a logical operator 
applied to operands/subformulas ø. Each P; asserts that a signed formula is 
(not) contained in a label L(w). Labels are sets of signed formulas with known 
sign at some node w on the current branch. Rules may only add signed formulas 
to labels and create new branches. We assume the input is satisfiable, in case no 
more rule is applicable. 

This means, we consider sound, confluent, and non-destructive tableaux with 
signed formulas |34] and explicit labelled nodes [24], which are straightforward in 
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Algorithm 1: Simple CDCL(7) Algorithm. 
Methods that can be provided by a user-propagator are underlined. 


1 Method CDCLT(f): 

2 f — abstr(f) > Sect. 3.2 
3 Loop 

4 if conflict(f) then 

5 if backtrack(f) = failed then return UNSAT 

6 foreach s € T-solvers do s.pop() > Sect. 3.5 
7 while can_unit_propagate(f) do assign(get_up(f)) 

8 if contains_unassigned(f) then 

9 foreach s € 7-solvers do s.push() > Sect. 3.5 
10 assign(guess. variable( f )) 
11 else 
12 foreach s € T-solvers do s.final() > Sect. 3.4 
13 if -new_formulas_propagated() then return SAT 
14 Method assign(z, value): 
15 foreach s € 7-solvers do 
16 if is associated(s, x) ^ is. relevant(x) then 
17 B s.fixed(x, value) > Sect. 3.3 


our framework. Many calculi [13], including those for propositional logics, first- 
order logics, various modal/description logics, and several many-valued logics, 
can naturally be expressed within Fig.1. The main steps of our work towards 
integrating tableau reasoning in SMT solving can be illustrated using a running 
example in ALC. The tableaux rules for ALC in our notation are detailed in 
Fig. 2. 


Example 1 (Running Example). Consider the ALC knowledge base: 


T Box = (global(Hum = (D; (Alive > age € recordLifespan) ^ OHum))) 
ABoz = (eva: Hum V O;7Hum, par : (eva, paul)} 


where Alive (Alive), Hum (Human), and age depend on the current world, 
but recordLifespan does not; age and record Lifespan are of integral sort; p 
(parent) and f (friend) denote roles; and eva and paul are named worlds. 


3.1 SMT-LIB Encoding and Custom SMT Theory 


To enable SMT-based tableau reasoning, we encode non-classical logic features 
directly in an extension of the SMT-LIB input standard [5]. In particular, we 
encode non-classical logic symbols with the help of uninterpreted function sym- 
bols and sorts, yielding an SMT theory of non-classical logic. 
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Example 2 (ALC Knowledge Base in SMT-LIB). For ALC, we introduce the 
uninterpreted Relation and World sorts and the following functions: 


box : Relation x Be B dia : Relation x Be B 
global : BB world: | 0—W 
reachable : Relation x W x W —5B 


where B is the sort of Booleans and world represents the current world?. Func- 
tions may have an extra ^World" argument to denote their dependency on some 
world. With these syntactic features on top of SMT-LIB, Example 1 is encoded 
as 


(declare-fun Hum (World) Bool) (declare-fun Alive (World) Bool) 
(declare-fun age (World) Int) (declare-const recordLifespan Int) 
(declare-const eva World) (declare-const paul World) 
(declare-const p Relation) (declare-const f Relation) 


(assert (global 
(=> (Hum world) (and 
(box p (=> (Alive world) (<= (age world) recordLifespan))) 
(dia p (Hum world)))))) 
(assert (global (=> (= world eva) (or (Hum world) (dia f (Rob world)))))) 
(assert (reachable p eva paul)) 


3.2 Preprocessing (Abstr) 


Next, we traverse the syntax tree of the parsed problem and introduce fresh 
user-function symbols to abstract away subformulas we want to observe. All 
instances of introduced user-functions are automatically associated with our 
user-propagator and thus Boolean assignments to those instances might be 
reported by the SMT core by calling the fixed method. We might add a node 
parameter of an uninterpreted sort to user-functions to store additional infor- 
mation, such as the current world in Kripke semantics. As we go, we build a 
tree-shaped abstraction data structure for keeping track of abstracted subfor- 
mulas and efficiently applying tableau rules. Only the root of the abstraction is 
passed to the SMT solver. Furthermore, we apply (logic-specific) simplifications. 


Example 3 (Preprocessing and Abstraction). Recall Example 1. We replace all 
operators handled by tableau rules by fresh user-functions: here, for the occur- 
rences of O,.y, global(y), and for theory atoms. World-dependent terms and some 
operators, such as [], require a node argument denoting the world in which they 
are evaluated. To ease instantiating multiple instances of the formulas, we use 
an unbounded variable x as the node argument. We obtain the SMT abstrac- 
tion of Example 1 given in Fig. 3. G denotes applications of the global-rule, M” 
applications of O,, and T arbitrary theory atoms. ABox elements are encoded 
directly by instantiating the node arguments accordingly (e.g., -Mf (eva)). 


3 which will be eliminated during preprocessing. 
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G1 ^ (Hum(eva) V ^MÍ (eva)) ^ reach? (eva, paul) 


E cdd E 
Gi : Hum(xz) — (MZ (x) ^ =M} (x)) Mj (x) : Hum(x) 
P ai CN 
M3 (x) : Alive(z) => Tı (x) M2 (x) : »Hum(xz) 


| 
Tı (x) : age(x) € recordLifespan 


Fig. 3. Abstraction tree for Example 1. For simplicity, we rewrote 0A as 29,—4A. 


3.3 Populating Languages (Fixed) 


Whenever the SAT core assigns a variable V;(w) — value , we look up the 
operator o and its operands abstracted by V; during preprocessing. We add 
o, together with the auxiliary symbol and its operands gj, to the respective 
label set* such that É(w) := £(w) U {(value : o, Vi, G;)} As the user-propagator 
reports only assignments to formulas that were previously abstracted away by 
user-functions, we might also need to abstract away other formulas for which 
we are not interested in adding additional rules, in order to be notified when 
these elements are added to some labels. For example, if we must observe 0: 
(Q1 ^ p2) € £(w), we can replace ^ by a user-function. Usually, the tableau is 
closed (i.e. conflict) automatically if we have formulas of different sign. If the 
calculus has more complicated closing conditions, they can be reported explicitly 
by propagating a conflict. 


Example 4 (Tracking Assignments to Arbitrary Subformulas). To keep track 
of all relevant Boolean assignments to atoms, we replace all atoms by user- 
functions, including complex theory atoms such as age(w) < recordLifespan as 
shown in Fig. 3. To preserve semantics, we add the definitions of the abstracted 
atoms by propagation For example, within Example 1 we might eagerly propa- 
gate 

Ti(w) = value F ((age(w) € recordLifespan) = value), 


as soon as Ti(w) is assigned the Boolean value. 


3.4 Rule Application (Final) 


Whenever the solver found a Boolean assignment such that the propositional 
abstraction of its extended SMT problem (Sect. 3.1) is satisfied, we apply logic- 
specific tableau rules by iterating over the set £(w) for every node w until no 
more tableau rules are applicable. A propagation claim is of the form J1,..., Jm F 
C. An arbitrary number of them can be added by the user-propagator within 
fixed and final, indicating that the SAT core needs to assign C +> 1 justified 
by the expressions Jj,...,Jm; here, C may be an arbitrary Boolean expression. 


^ £(w) are sets maintained by the user-propagator code to simulate £(w). 
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Consider a tableau rule R as in Fig.1 and assume that R is applied because 
{Pi,..., Ph} C{Pi,..., Pn} are satisfied, obtaining 


Just(P{),..., Just(P7,) - C, (5) 


where Just(P;) is J;. We give C as a formula in disjunctive normal form (DNF) 


Vo A. (iglwig) = signa) (6) 


1si<n l<j<mi 


simulating application of the rule R. We note that by using relevancy prop- 
agation [28] SMT solving may enjoy tableau-style branching, such that only 
one disjunct of the above DNF is chosen and reported assigned; unnecessary 
Boolean assignments are not reported to the user-propagator. We distinguish 
between two types of P; in (5): (i) those asserting elements are in the label, 
where Pj is sign : o(g) € £(w); and (ii) those that assert the opposite, where 
P! is sign : o(p) € £(w). 

Justifying (i) is straightforward, as there must be an auxiliary user-function 
denoting that the respective element is contained in the label. We therefore have 
sign : o(p), V, € É(w) and define Just(P/) to be the equality V = sign. 
Case (ii) cannot be justified in general in our encoding because some assign- 
ments might not have been reported due to relevancy propagation. However, 
justifications for non-containment constraints may be omitted in the following 
scenarios: 


1. The expression C can be simplified to T with respect to the current SAT 
assignment and hence Lemma (5) and its justifications are irrelevant. Consider 
F(w) + 0 where F(w) is a user-function used to replace A ^ B in some node 
w (see ^ rule in Fig.2) and 0 : A € L(w). Propagating F(w) F A(w) = 
LV B(w) = L has no effect, as the SMT solver detects that the consequent 
is already satisfied and ignores (5). 

2. Applying R without satisfying the negative containment condition does not 
affect soundness or completeness and we make sure that we do not apply R 
infinitely often. Consider F(w) — 0 where F(w) replaces OA in some node w 
(see O rule in Fig. 2). Applying this rule once or finitely often does not affect 
soundness or completeness in ALC. 


In either scenario, we do not justify that the respective conditions P’ are satisfied, 
but only check P’ before application of R (e.g. checking if a world is blocked). 
We hence set Just(P;) to T. 


Example 5 (Applying Rules). Recall Example 1. Consider 1: M? € L(eva), 0: 
M? € L(eva) and 1: G € £. SMT solving may propagate in final 


M} (eva) = 1L - (AHum(mary)) = L A^ reach? (eva, mary) = T 
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by a 0: L-rule instance of Fig. 1, where mary is a fresh world. The next final 
callback might then propagate (because of the 1: O and 1: global rules) 


M2 (eva) = T A reach" (eva, mary) = T 
- (Alive(mary) > Tı (mary) = T 
G, = T A reach? (eva, mary) = T 
- (Hum(mary) > (M2(mary) ^ =M} (mary))) = T. 


3.5 Backtracking (Push+pop) 


Backtracking in the CDCL core of SMT solving uses justifications provided for 
propagation claims. Our SMT-based tableau reasoner has to reset (pop) its state 
to a previously-saved state (push), by restoring the value of £(w) to the one it 
had in the previous state. However, unlike tableau calculi, subformulas intro- 
duced by rule application may persist after backtracking because of conflict 
learning and similar techniques, which can result in the solver assigning these 
atoms unnecessarily. These spurious assignments correspond to adding elements 
to some label £(w) without a respective rule being applicable and hence, it 
might happen that £(w) 4 £(w). We can nonetheless apply rules resulting from 
spurious assignments as if they were not spurious: mostly, the solver will either 
justify the spurious elements anyway later or, in the case of a conflict, backtrack 
and undo these assignments. 


Example 6 (Spurious Assignments). Recall Example 1. Suppose paul has a par- 
ent mary, generated by M$ (paul) +> 0 using the 0: D-rule. Further, assume mary 
has a parent sam, generated by M$ (mary) — 0. On conflict, the SMT solver 
might backtrack to a state before assigning M$ (paul) +> 0. The tableau-based 


theory solver removes reach? (sam) from £(mary), as well as reach? (mary) from 
L(paul). However, the solver may not “forget” the existence of atoms M? (mary) 
and M? (paul). It may therefore happen that M} (mary) is assigned later without 
first generating mary via MZ (paul) — 0. We ignore this spurious assignment, as 
the solver may later again assign M$ (paul) + 0, ex post facto justifying the exis- 
tence of mary. If this justification is not given later and we encounter a conflict, 
the solver backtracks and removes the spurious assignment. If it leads to a model, 


we ignore everything in the model resulting from the spurious assignment. 


4 Implementation and Experiments 


We implemented? our tableau reasoning approach from Sect.3 in the Z3 SMT 
solver [29]. We compare our implementation applying user propagation over the 
custom SMT theory of Sect.3.1 against our implementation using two trans- 
lations of modal logic to first-order logic, viz. the standard translation [9] and 
iterative deepening using cardinality assumptions. We considered altogether 400 


5 https://github.com/ CEisenhofer /ModalZ3. 
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Table 1. Experimental results for benchmarks in the modal logic K. 


satisfiable (400) | unsatisfiable (185) | total (585) 
standard translation | 221 (55.3%) 81 (43.8%) 302 (51.6%) 
model building 219 (54.8%) |78 (42.2%) 297 (50.8%) 
user-propagator 269 (67.3%) | 132 (71.4%) 401 (68.5%) 


satisfiable and 185 unsatisfiable benchmarks in the modal logic K [30]. Our initial 
experiments using a 60-second timeout are summarized in Table 1, showing that 
applying our user-propagator framework performs the best. This is partially so 
because quantifier reasoning in Z3 comes with MBQI overhead (Sect. 2). Finite 
model building performs poorly for large minimal models. 


5 Conclusion and Discussion 


We introduce an SMT-based reasoning framework for tableau methods, encoding 
tableau rules directly in SMT and applying user-propagators for custom reason- 
ing. When implemented and evaluated using the Z3 SMT solver, our results 
outperform alternative encodings of the modal logic K. However, implementing 
logics via user-propagators requires further knowledge about the considered non- 
classical logics for tailored support towards, e.g., conflict learning and theory 
reasoning. 


Beyond the Boolean Basis and Alternative Encodings. We so far considered an 
assignment V +> value to denote that value : V € £(w) and only capture 
value: V ¢ £(w) implicitly. This can be generalized to n mutually-exclusive 
truth values by using [|logo(n)| Boolean variables. If, on the other hand, we 
need to justify that some element is not in our label, we can use a different 
encoding with each potential value encoded by a single Boolean. In this case, we 
use bitsign(V) = true to represent V € C(w) instead of V = sign. 


Example 7 (Ternary Logic). Consider a three-valued logic with values true, false, 
and undefined. The first encoding represents each truth value as a list of two bits 
where 00 represents false, 01 true, and 10 undefined respectively. The case of 11 
is invalid. The second uses a list of three bits, one for each potential value. For 
each introduced subformula, we additionally propagate the cardinality constraint 
that exactly one bit has to be set to 1. This encoding incorporates the usual 
assumption that value; : o € £(w) and values : o € L(w) with value; 4 values 
represents a conflict, but could be dropped in cases where this is not desired. 


Theories and Non-Classical Logic A challenging question arises when considering 
theories in combination with non-Boolean based logics. As we abstract away 
theory atoms (Example 3) and add them again on demand (Example 4), we 
can customize what and how theory atoms are passed to the SMT solver. For 
ternary logic, we might propagate the theory atom positively when assigned true, 
for false its negation, and nothing when the value is undefined. 
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Abstract. We report on an implementation of a tableaux calculus for 
sceptical consequence in Default Logic built on Hybrid Modal Logic. 
In turn, our tool offers support for checking default consequence over 
formulas from Propositional Logic, Basic Modal Logic and Hybrid Logic. 
We develop a test suite for assessing the correctness, scalability, and 
efficiency of our system, and inform on the results. Interestingly, our 
method can be adapted to generate examples for other default provers. 


1 Introduction 


A tableau method [11] is a standard proof procedure based on ‘refutations’. To 
prove that a certain fact is valid, the procedure begins with a syntactical expres- 
sion intended to assert the negation of the given fact. Then, successive steps 
syntactically break down this assertion into cases. Finally, impossibility condi- 
tions dictate closing cases. A proof is obtained if all cases are closed. Tableaux 
are one of the most popular proof calculi for Modal Logics, as they are known 
to lead to efficient and modular implementations [9]. 

The tableaux method presented here, called default tableaux, operates in the 
way just described. The novelty is that this tableaux method captures scepti- 
cal consequence in Default Logic [17], one of the most prominent approaches 
for non-monotonic reasoning [1]. Two distinguishing characteristics of a default 
logic are defaults and alternative extensions. Briefly, defaults can be understood 
as defeasible rules of inference, whereas extensions can be understood as sets 
closed under the application of defaults. Alternative extensions originate from 
‘consistency checks’ on the application of defaults. A formula is called a 'scep- 
tical consequence' if it is a consequence from every alternative extension. Our 
tableaux method handles sceptical consequence for DHL, a default logic built 
over Hybrid Logic (HL) [3,4], via default tableaux. Default tableaux are intro- 
duced as an extension of tableaux for HL. These tableaux build on results pre- 
sented in [5,7]. 

Moreover, we report on DefTab, an implementation of the default tableaux 
mentioned above. DefTab was originally conceived for checking sceptical conse- 
quence in Default Intuitionistic Logic [7]. Here, we advance on a modular imple- 
mentation of a default prover acting over different modal logics. The general 
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implementation of the tool is based on the architecture of HTab [13], a tableaux 
system for HL (see also [12]). Given the ability of handling formulas from HL, 
our prover also supports formulas from fragments of HL such as Classical Propo- 
sitional Logic and Basic Modal Logic. Each fragment is in itself interesting. 

We discuss the overall architecture of DefTab, the implementation of default 
tableaux algorithm, and optimization details. In addition, we present an empiri- 
cal evaluation of the tool to assess its correctness and efficiency. To this end, we 
build a test suite for sceptical consequence in DHL by using hGen [2], a random 
formula generator for HL and the mentioned fragments. We provide a system- 
atic method to convert formulas generated by hGen into interesting test cases 
for DHL. We posit other provers could benefit from our method in the future. 


2 Basic Definitions 


Hybrid Logic. The language of HL is defined on an enumerable set Y = 
(pi | 0 < i} of proposition symbols and an enumerable set M = (n; | 0 € i) of 
nominals, and is determined by the following BNF: 


Y = pi | ni |n| eA | Oy | @n,¢ | Ay. 


Other Boolean connectives are defined as usual. The modal formula Oy is an 
abbreviation for ~O-y, whereas Ey abbreviates —A-y. We will also refer to 
some fragments of HL: the Basic Hybrid Logic (HL) is obtained by removing the 
constructor Ay from the BNF above. The Basic Modal Logic (BML) is obtained 
by additionally removing n; and @,,y from the BNF. Finally, the Classical 
Propositional Logic (CPL) is obtained by additionally removing Oy. 

A hybrid Kripke model M is a tuple (W, R, V) where: W is a non-empty set 
of elements called worlds; R C W? is the accessibility relation; and the valuation 
V: PUM & 2V is a function s.t. for all n € N, |V(n)| = 1. 

The notion of satisfiability, written M, w = y, is defined inductively as fol- 
lows, with the Boolean cases defined as usual: 


M, w E pi iff w € V(p;) 

M, w E ni iff {w} = V(ni) 

9,wE oy iff for all w € W, Rww' implies M, w’ E v 
M,w H Ay iff forall w EW, Mw’ Ey 

M, w = Anry if M, w H v, where {w} = V (ni). 


We write M, w = 9 to abbreviate: for all y € &, M, w = v. We call v a (local) 
semantic consequence ( [3]) of &, notation ® F y, iff for every hybrid Kripke 
model M, and world w of M, if M, w = P, then M, w = y. 


Normal Default Logic. The work on Default Logic, initiated in [17], comprises 
nowadays a wide range of non-monotonic formalisms built on an underlying 
(typically monotonic) logic. In what follows, we describe a default logic built on 
HL, and call this default logic Default Hybrid Logic (DHL). 
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DHL is characterized by normal defaults and extensions. A normal default is 
a pair (7, x) of formulas of HL written as 7 /x; where 7 is called the prerequisite 
of the default, and x its consequent. A normal default can be understood as a 
non-admissible rule of inference of HL which is only applied if its application 
does not yield a contradiction. Normal defaults are common in the literature, 
since interestingly most existing variants of Default Logic converge in the case 
of normal defaults (see, e.g., [1]). Extensions are defined with respect to default 
theories. A default theory is a pair © = (9, A) where: @ is a set of formulas of 
HL, also indicated by 95; and A is a set of normal defaults, also indicated by 
Aj. An extension can be understood as a saturation of a set of facts via the 
application of defaults. The precise definition of an extension is given in Def. 4. 


Definition 1. Letó = x/x be a default and A be a set of defaults; then: 5" = m, 
OX =x; ALI ={0 |c A}, A* — (9* |Ge A) and AUS= AU {ô}. 


Definition 2 (Detachment). Let O be a default theory, and A U ô C Ae; we 
say that 6 is triggered by A (in ©) iff (o U AX) E 5". We say that 6 is blocked 
by A iff (Bo U (AU 8)*) - L. We say that ó is detached by A if ó is triggered, 
and not blocked, by A. 


If we think of a default 7/y as a rule which enables us to pass from 7 to x, 
the notion of detachment in Def. 2 tells us under which conditions on m we 
can obtain x. The definition of detachment is an intermediate step towards the 
definition of an extension via generating sets. 


Definition 3 (Generating Set). Let O be a default theory; we call A C Ae 
a generating set if there is a total-ordering < on Ae s.t. A = D£(n), where 
n = |Ae|, D£(0) = 0, and for all 0 < i < n: 


D$G)Uó if d € Ae\D§ (i) is detached by D$(i), and 
Dé (i+1) = for all n £46 € AeNDS (4), ifn is detached by DS (i), ó «m 


Dé (i) otherwise. 


Definition 4 (Extension). Let © be a default theory and E = ə U AŽ; the 
set E is an extension of O iff A is a generating subset of Ag. We use &(O) to 
indicate the set of all extensions of O. 


As mentioned, intuitively, an extension is a set of formulas that is closed 
under detachment. We present the definition of default consequence in Def. 5. 


Definition 5 (Default Consequence). We say a formula «^ is a sceptical 
consequence of a default theory ©, notation O F v, iff for all E € 6(0), EE q. 


'The notion of default consequence in Def. 5 is referred to as sceptical in the 
literature on Default Logic. In Sec. 3 we present a syntactic characterization of 
sceptical consequence via a default tableaux proof calculus. T'his proof calculus 
is the focus of our system description. We illustrate our definitions in Ex. 1. 
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Example 1. We start by assuming that every world in the model has a succes- 
sor, and that every world is either a sink world (nominal s) or ‘sees’ the sink 
world. These assumptions are expressed in a default theory as facts, ie., by 
$ = (AOT,A(s V Os)). Moreover, we have three defaults: 0; = T/Q,,Onza, 
dg = T/Q,,—s, and ôs = T/@,,0n3. Thus, we have A = {6), 62,63}, and 
© = (@,A). The default 6; expresses that no must ‘see’ na. This default is 
detached by &. Then, we have the defaults 62, expressing that n3 must not be 
the sink world, and 63, expressing that n3 must only ‘see’ itself. Both of these 
defaults are individually detached by 6,, but they block each other: 62 forces 
n3 to have a successor different from itself to comply with the facts, while 63 
forces ng to see only itself, i.e., it forces ng be the sink. This means that we 
have two generating sets, [01,09] and {01,63}, thus there are two extensions: 
E, = ®@U{@,, Ons, Qna ms} and E; = GU (Q,, ons, Qng Ong}. In both cases, 
nz sees the sink in two steps, i.e., O F Q$,, 00s. 


3 Default Tableaux Proof Calculus 


We present the default tableaux calculus for sceptical consequence in £2HL which 
is the focus of our system description. In what follows, we consider all the formu- 
las from HL in negation normal form. 'The default tableaux calculus for sceptical 
consequence in MHL constructs so-called default tableaux. A default tableau is a 
tree whose nodes are of three different kinds. We write nodes of the first kind as 
Q;o, meaning that y holds at world i. The second kind of nodes (which is a spe- 
cial case of the first kind) is written as @;O7, meaning that world j is accessible 
from world 7. Nodes of the third kind are indicated by defaults. This last kind 
of nodes marks the use of a default in a proof attempt. A default tableau for a 
formula q from a default theory O, is a default tableau whose root is 85-0, and 
whose construction is carried out using the rules from Fig. 1. 


Q, (ip ^ v Q;O Q,Q, p @,Ey 
ee ^ ————— (0) (@) (EY 

Qo, Qj Q@,Oj, Qjp Quy Qjp 

@:i (p V v) Q;De, Q;6j Qip, Qj @iAy 
redii — —— (nom)? 2 

Qj | Qin Qo Qo Qo 
p 2 3 D 4 
Q;j Geh) Ken (F) Ói : ôi Ön ( 

Qoóf Q6 QoóX 


1 The nominal j is new to the branch. 

? The nominal j is already in the branch. 

? For o € $e. 

^ For {6; |i € [1,n]} = {6 € AeNAz | 6 is detached by Ag }, where Ag is the set of defaults in 
the branch. 


Fig. 1. Tableau expansion rules for DHL. 
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The rule (F) enables us to incorporate formulas from ə into a default 
tableau, while the rule (D) enables us to incorporate defaults from Ae. This 
last rule corresponds to the concept of detachment in Def. 2. The notion of 
reducibility using default tableaux is made precise in Def. 7. 


Definition 6 (Closure). A branch of a default tableau is closed (A), if Qiy 
and Q;— occur in the branch. A branch is open (¥) if it is not closed. A default 
tableau is closed if all of its branches are closed; otherwise it is open. 


Definition 7 (Default Deducibility). We call any closed default tableau for 
y from © a sceptical proof of y from O, notation Ok y. 


The expansion rules in Fig.1 together with Def. 7 yield a sceptical proof 
calculus which is is sound and complete (see [7] for details of this claim). 


Theorem 1 (Soundess and Completeness.). OF o iff O F o. 


In addition, notice that if we forbid the application of the rule (D), we obtain 
a notion of deducibility Pe | y which yields a sound and complete proof calculus 
for HL, i.e., Bg F y iff Pe F v (see [16]). We use F to syntactically check the side 
condition of the rule (D), and decide whether it can be applied or not. 


Definition 8 (Saturation). A branch of a default tableau is saturated, nota- 
tion (9), if the application of any of the expansion rules in Fig. 1 is redundant. 


It can be proven that every branch of a default tableau can be extended to 
one that is saturated in a finite number of steps. Also, if a default tableau for y 
from © has a branch that is open and saturated, then © vy. From these two 
facts, it follows that default tableaux decide sceptical consequence. 


4 Implementation 


DefTab is an implementation of the tableaux proof calculus for sceptical default 
consequence in Sec. 3. The architecture of DefTab is based on the hybrid logic 
prover HTab [13], and incorporates the specific features for implementing default 
reasoning. HTab implements a terminating tableaux algorithm for HL and comes 
ready with some optimizations such as semantic branching and backjumping. 
All these features, as well as others, are reported in detail in [13]. Given O 
and y as input, DefTab builds proof attempts of O F ọ by searching for Kripke 
models for y, and subsequently restricting these models with the use of sentences 
from ə and defaults from As. DefTab reports whether a default proof has been 
found or not. In the latter case, it exhibits an extension of O from which the y 
does not follow; thus establishing that « is not a default consequence of ©. In 
what follows we discuss some implementation details, including some comments 
on optimizations. DefTab is available at http://tinyurl.com/deftab0. 
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Tableaux and Subtableaux. The tableaux algorithm of DefTab follows a 
standard strategy for proof search, and the novel part is the treatment of the 
rule (D). In such a case, it selects a default 6 from the set Ae, and checks if 6 
is detached, according to Def. 2. This relies on subtableaux, that is, tableaux 
executions that are independent of the main default tableaux. These subtableaux 
are needed to check whether 6 is detached in the branch; i.e., whether it is 
triggered (i.e., ó!! is a consequence of the premises and the consequences already 
obtained in the branch), and not blocked (i.e., if ó* adds an inconsistency into 
the branch). If 5 is detached, then @ d* is added to the branch, ó is marked as 
treated, and the algorithm continues with the expansion of the updated branch. 
Once no rule can be applied, the algorithm returns TRUE if and only if y is a 
default consequence of O. 


Subtableaux Caching. One of the main optimizations provided in DefTab 
is caching, operating under the following premise. Subtableaux are executed to 
check which default rules are triggered or blocked in the context of a branch. 
Many of these checks are redundant, since the results of such subtableaux does 
not change unless a default rule is applied to a branch. DefTab implements a 
simple caching system that stores subtableaux results in a dictionary. Each time 
a subtableaux is about to be executed, the set of initial formulas is checked 
against the cache. If there is a cache hit, the result is taken from the cache and 
a tableaux run is saved. Note that subtableaux do not involve the rule (D), that 
is, they are purely tableaux of the underlying logic. 


Default Rules Data Structures. At any given moment, DefTab maintains 
defaults in two lists: available and triggered. The available list contains the 
defaults of the input default theory. When the (D) rule is about to be applied, 
several steps are performed to handle default rules systematically. First, the 
available list is scanned, and each rule is checked to be triggered. Triggered rules 
are moved into the triggered list, and the rest is left into the available list. Note 
that non-triggered rules, may become triggered in the future after some default 
is added to the branch. The triggered list is also scanned, and each rule is checked 
to be blocked in the current branch. When a rule is blocked, it is deleted from the 
triggered list and will never come back again in the branch. Once this is done, 
DefTab uses that list to apply the rule (D). The tableaux branches as many times 
as there are rules in the (non-blocked) triggered list. For each new branch, the 
procedure removes the corresponding rule from the triggered list, and adds it 
and its consequent formula to the branch. 


Backjumping. Backjumping [14] is a standard optimization for the HL calculus 
that greatly improves performance (see [13]). The overall idea is that, instead 
of performing a simple backtracking when a branch is found to be closed, back- 
jumping calculates the lowest level to which the execution of the tableaux may 
directly come back when a clash is found. This requires all formulas in the 
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tableaux to be annotated with a set of dependencies. A dependency is the level 
of a branching rule application. For the specific case of default tableaux, we take 
special care of tracking dependencies of the formulas introduced by the appli- 
cation of rule (D). To do so, once a default 7/x is triggered, we bookkeep it in 
the triggered list along with the dependencies of the formulas that triggered it, 
according to Definition 2. Concretely, this is the union of the dependencies of all 
defaults A such that ə U AX H s. When (D) rule is applied, the consequent 
of a default is added to the current branch with these dependencies, plus the 
dependency of the current tableaux level. 


Usage. DefTab takes as input a file following the structure of the following 
simple example file hybrid01.dt. 


facts: — 'The keyword facts indicates the beginning of 

NO: <> N1; the set of formulas of the default theory. 

defaults: — 'The keyword defaults indicates the beginning 

(NO: <>N1) --> (N1:<>NO); of the set of defaults. The syntax for a default 
T/X is T --> x. 

consequence: — The keyword consequence indicates the for- 

NO:<><>NO; mula to be proven. 


DefTab is executed from the command line as: 


$ ./deftab -f hybridO1.dt The output indicates that NO: «»«»NO 
nea mudndepepeHaisHen edens (Q,,OOno) is a sceptical conse- 
Indeed a sceptical consequence. quence of the default theory. 


Elapsed time: 0.00 seconds 


5 Testing Generation and Methodology 


Hybrid and Default Formulas Generation. Another contribution of our 
work is to provide a systematic way of constructing test cases for MHL provers. 
To our knowledge, there is no standard test set for automated reasoning with 
default logic, and less so for default reasoning based on HL. 

We build test cases for DHL using the random formula generator hGen [2]. 
hGen enables us to generate formulas in conjunctive normal form (CNF) from 
several fragments of HL, such as CPL, BML and HL. Moreover, hGen also allows 
us to specify the different parameters of a formula: number of clauses, size of 
clauses and modal depths of each subformula of a clause, probability of that 
an operator appears in the clause (e.g. modal, hybrid, universal), and the total 
number of propositional symbols and nominals. 
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We adapted hGen to generate normal default theories from random HL for- 
mulas. The transformation depends on the satisfiability status of the original 
HL formulas. The first case applies to satisfiable formulas of HL in CNF. Given 
C1 ...Cn the clauses of an HL formula, we put each one of them as the conse- 
quent of a default T/c;, and put L as the consequence to be proved. As the 
original set of clauses is satisfiable, and the consequence is never provable, all 
the defaults will be applied (as putting T as the prerequisite triggers every rule) 
in all possible permutations. This is an easy way to stress our tool. 

The second case works with unsatisfiable formulas of HL in CNF. Here, we use 
an intentionally harder transformation. Given c4 ...c; the clauses of the HL for- 
mula, then for all i<n, we generate two rules: T/c; V ci+1 and c; V Ci+1/Ci ^ Ci41- 
Finally, we add c,, as consequence. In this case, not all defaults will be applied 
to a same branch, but a great amount of them. Moreover, the formula c,, may or 
may not be a sceptical consequence of the default theory; this is another differ- 
ence with the case of satisfiable formulas. This case not only serves to test the 
scalability of our tool, but also its correctness. 


Test Suite Structure. The Bash script testsuite.sh executes four steps: 
formula generation, renaming, benchmark, and consistency check. 

The formula generation step uses hGen to generate random sets of formulas 
from CPL, BML, HL and HL, respectively. Initially, each set contains 1000 
formulas. Then, the Hybrid Logic prover HTab ([13]) is run to classify each set 
of formulas into satisfiable (SAT) and unsatisfiable (UNSAT). This way, hGen 
generates the corresponding default theories, as described in the previous section. 
The renaming step is then performed to organize file names in each folder. 

The benchmark step enables to specify a list of provers to be run. Currently, 
it is performed with DefTab with cache disabled (NC) and DefTab with cache 
enabled (C), but the script can be easily modified to run any new default prover. 
The provers are executed on all input files of each combination of 4 languages 
and 2 satisfiability values, and the results (execution time and answer) are stored 
in log files. The script reports how many formulas could be solved within 10s, 
30s, and 60s. This is done by running the provers with the highest timeout 
value; the other values are deduced from the prover's running time. 

Finally, the consistency check step looks for inconsistent outputs between 
provers by comparing the log files generated in the previous step. 

Although the preselected option is to run all these steps together, they can 
also be run separately. This enables to run the benchmark step on a known set 
of formulas, to reproduce results. Instructions on how to run the tests, the test 
script and the set of formulas used to generate the following results can be found 
at http://tinyurl.com/deftab0. 


hGen parameters. For each language, we tuned hGen's parameters to get a 
good SAT/UNSAT balance of its output (ideally a 50/50 ratio). We also aimed 
at getting a balanced difficulty of the translated default theories. T'hat is, the sets 
of default theories should be hard enough so that many of them make DefTab 
timeout and we may measure improvements in the future, but not too hard so 
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we can already observe different results according to different timeout values. 
The parameters for each language are: for CPL, 33 clauses and 10 proposition 
symbols; for BML, 34 clauses, 10 proposition symbols, one relation and 2 nested 
modal operators as maximum; for HL’, 15 clauses, 3 proposition symbols, 3 
nominals, one relation and 6 nested modal and hybrid operators as maximum; 
and for HL, 13 clauses, 2 proposition symbols, 2 nominals, one relation and 
6 nested modal, hybrid and universal operators as maximum. Moreover, each 
language has fine-tuned probabilities of the different logic connectives in order 
to meet the SAT/UNSAT and timeout balances that the following results show. 
All parameters can be found in the released test script. 


Results. We report below a run of the benchmark script with 1000 formulas 
per language, performed with DefTab with cache disabled (NC) and DefTab with 
cache enabled (C). DefTab was compiled with GHC 8.10.7, and the tests were run 
on the following platform: Ubuntu 22.04 operating system, Linux 5.19 kernel, 
12th Gen Intel i7-1260P CPU with 16 cores, 16GB of RAM and SSD storage. 


Formulas Timeout 

10 secs. 10 secs. 30 secs. 30 secs. 60 secs. 60 secs. 

(NC) (C) (NC) (C) (NC) (C) 
CPL SAT (516) 122 135 133 144 138 146 
CPL UNSAT (484) | 255 324 309 364 336 384 
BML SAT (462) 356 399 384 417 398 425 
BML UNSAT (538) | 154 193 252 324 295 367 
HLT SAT (534) 401 434 419 444 431 450 
HLT UNSAT (466) | 142 153 150 170 158 183 
HL SAT (480) 284 321 309 331 320 343 
HL UNSAT (520) 145 161 161 183 169 193 


Finally, the following table describes the outcome of checking sceptical con- 
sequence of those formulas that were originally unsatisfiable. We take therein all 
the tests cases that finished with timeout of 60s, solved using caching. The col- 
umn label by ‘Consequence’ indicates the number of formulas for which running 
DefTab returns it is indeed a sceptical consequence in the corresponding default 
theories; while ‘Not Consequence’ indicates the number of formulas for which 
DefTab returns they are not a sceptical consequence. 


Formulas | Results 
Total | Consequence | Not Consequence 


CPL UNSAT | 384 24 360 
BML UNSAT | 367 322 45 
HL" UNSAT | 183 111 72 


HL UNSAT 193 100 93 
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These results are useful for checking consistency across the execution of dif- 
ferent provers, or provers executed with different parameters, as we are cur- 
rently doing with DefTab’s cache option. Moreover, we would like to compare 
the obtained data with the results of running other provers for the different 
fragments that are supported by DefTab, to assess both soundness and the per- 
formance of our tool. This is part of our future work agenda. 


6 Final Remarks 


We reported on DefTab, a tableaux-based system to decide sceptical consequence 
in Default Logic over Hybrid Modal Logic. To the best of our knowledge, DefTab 
is the first prover combining Modal and Default Logic. This said, other provers 
do exist for Default Logic. For instance, DeReS is a default logic reasoner with an 
underlying propositional tableaux calculus [8]. This prover is designed to check 
default consequence treating reasoning in the underlying logic as a “black box". 
This contrasts with DefTab which extends tableaux reasoning in the underlying 
logic with the use of defaults. At present, DefTab only supports sceptical con- 
sequence checking, while DeReS also supports credulous consequence checking. 
We have not been able to find a working implementation of DeReS. However, 
many of the ideas presented in [8] can be explored in our setting, in particular, 
the kind of (graph-based) problems that are used to generate test cases. 

Although not a default logic reasoner, in [15], a nonmonotonic reasoning plug- 
in for OWL ontologies is presented. DefTab could approach this tool by imple- 
menting multiple relations (roles) and role inclusions to its underlying modal 
language. In [10] a tool supporting default reasoning over knowledge bases is 
reported, this time not via a calculus implementation but via a translation into 
conjunctive query programs in a Description Logic reasoner. After adapting our 
calculus to handle Description Logic features, it would be interesting to use the 
above-mentioned tools to perform a comparison with DefTab, both for correct- 
ness and performance. 

We provided a systematic way of testing our tool, by introducing a test suite 
generation method based on hGen [2] and HTab [12,13]. This idea can be easily 
adapted to any kind of default prover working over CPL, BML, HL” and HL. We 
tested the performance of our tool using this test suite, and empirically showed 
that DefTab's subtableaux caching optimization positive impacts on performance. 

For future work there are several other interesting lines of research. The 
treatment of defaults in the calculus can be seen as parametric on the underly- 
ing logic (modulo some basic properties, e.g., the possibility of using premises, 
see [6]). DefTab was originally designed to handle Default Logic over Intuition- 
istic Logic [7]. Herein, the tableaux-based procedure not only handles classical 
reasoning instead of intuitionistic reasoning, but also it is extended to support 
a family of Modal Logics (i.e., the fragments we described along the paper). 
Moreover, our approach allowed us to design test suites that can be used to test 
DefTab and other nonmonotonic provers. These ideas can be extended to better 
assess the behaviour of the tools. We believe that our implementation is a first 
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step towards having a modular prover that can be generalized to a wider family 
of Default Logics. 
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Abstract. We define LE-AZC, a generalization of the description logic 
ALC based on the propositional logic of general (i.e. not necessarily dis- 
tributive) lattices, and semantically interpreted on relational structures 
based on formal contexts from Formal Concept Analysis (FCA). The 
description logic LE-ACLC allows us to formally describe databases with 
objects, features, and formal concepts, represented according to FCA 
as Galois-stable sets of objects and features. We describe ABoxes and 
TBoxes in LE-AZC, provide a tableaux algorithm for checking the con- 
sistency of LE-ALC knowledge bases with acyclic TBoxes, and show 
its termination, soundness and completeness. Interestingly, consistency 
checking for LE-ALC with acyclic T Boxes is in PTIME, while the com- 
plexity of the consistency checking of classical ALC with acyclic TBoxes 
is PSPACE-complete. 


Keywords: Description logic - Tableaux algorithm - Formal Concept 
Analysis - LE-logics 


1 Introduction 


Description Logic (DL) [2] is a class of logical formalisms, typically based on 
classical first-order logic, and widely used in Knowledge Representation and 
Reasoning to describe and reason about relevant concepts in a given application 
domain and their relationships. Since certain laws of classical logic fail in cer- 
tain application domains, in recent years, there has been a growing interest in 
developing versions of description logics on weaker (non-classical) propositional 
bases. For instance, in [20], an intuitionistic version of the DL ALC has been 
introduced for resolving some inconsistencies arising from the classical law of 
excluded middle when applying ALC to legal domains. In [6,19], many-valued 
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(fuzzy) description logics have been introduced to account for uncertainty and 
imprecision in processing information in the Semantic Web, and recently, frame- 
works of non-monotonic description logics have been introduced [14,15, 18]. 

One domain of application in which there is no consensus as to how classical 
logic should be applied is Formal Concept Analysis (FCA). In this setting, formal 
concepts arise from formal contexts P = (A, X, I), where A and X are sets (of 
objects and features respectively), and I C A x X. Specifically, formal concepts 
are represented as Galois-stable tuples (B, Y) such that B C A and Y C X 
and B = {a € A | Vy(y € Y = aly)) and Y = {a € X | Vb(b € B = bIzx)}. 
'The formal concepts arising from a formal context are naturally endowed with 
a partial order (the sub-concept/super-concept relation) as follows: (B1, Y1) < 
(Bo, Y2) iff Bı C B» iff Y C Yı. This partial order is a complete lattice, which is 
in general non-distributive. The failure of distributivity in the lattice of formal 
concepts introduces a tension between classical logic and the natural logic of 
formal concepts in FCA. This failure motivated the introduction of lattice-based 
propositional (modal) logics as the (epistemic) logics of formal concepts [9,10]. 
Complete relational semantics of these logics is given by enriched formal contexts 
(cf. Sect. 2.2), relational structures F = (P, Ro, Ro) based on formal contexts. 

In this paper, we introduce LE-ACLC, a lattice-based version of ALC which 
stands in the same relation to the lattice-based modal logic of formal concepts 
[12] as classical ALC stands in relation to classical modal logic: the language and 
semantics of LE-ALC is based on enriched formal contexts and their associated 
modal algebras. Thus, just like the language of ALC can be seen as a hybrid 
modal logic language interpreted on Kripke frames, the language of LE-. ACC can 
be regarded as a hybrid modal logic language interpreted on enriched formal con- 
texts. 

FCA and DL are different and well known approaches in the formal repre- 
sentation of concepts (or categories). They have been used together for several 
purposes [1,4,17]. Thus, providing a DL framework which allows us to describe 
formal contexts (possibly enriched, e.g. with additional relations on them) would 
be useful in relating these frameworks both at a theoretical and at a practical 
level. Proposals to connect FCA and DL have been made, in which concept 
lattices serve as models for DL concepts. Shilov and Han [21] interpret the pos- 
itive fragment of ALC concept names over concept lattices and show that this 
interpretation is compatible with standard Kripke models for ALC. A similar 
approach is used by Wrum [22] in which complete semantics for the (full) Lam- 
bek calculus is defined on concept lattices. The approach of the present paper 
for defining and interpreting non-distributive description logic and modal logic 
in relation with concept lattices with operators differs from the approaches men- 
tioned above in that it is based on duality-theoretic insights (cf. [10]). This allows 
us not only to show that the DL framework introduced in the present paper is 
consistent with the standard DL setting and its interpretation on Kripke models, 
but also to show that several properties of these logics and the meaning of their 
formulas can also be "lifted" from the classical (distributive) to non-distributive 
settings (cf. [7,8,12] for extended discussions). 

The main technical contribution of this paper is a tableaux algorithm for 
checking the consistency of LE-ALC ABoxes. We show that the algorithm is 
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terminating, sound and complete. Interestingly, this algorithm has a polynomial 
time complexity, compared to the complexity of the consistency checking of clas- 
sical ALC ABoxes which is PSPACE-complete. The algorithm also constructs a 
model for the given ABox which is polynomial in size. Thus, it also implies that 
the corresponding hybrid modal logic has the finite model property. 

Structure of the Paper. In Sect. 2, we give the necessary preliminaries on the DL 
ALC, lattice-based modal logics and their relational semantics. In Sect.3, we 
introduce the syntax and the semantics of LE-.AZC. In Sect. 4, we introduce a 
tableaux algorithm for checking the consistency of LE-.ACC ABoxes and show 
that it is terminating, sound and complete. In Sect. 5, we conclude and discuss 
some future research directions. 


2 Preliminaries 


2.1 Description Logic ALC 


Let C and R be disjoint sets of primitive or atomic concept names and role 
names. The set of concept descriptions or compound concept names over C and 
'R. are defined recursively as follows. 


C:2 A|T| L|CAC|C VC |-C |3rC | V.C 


where A € C and r € R. An interpretation is a tuple I = (Al,-1) s.t. Al isa 
non-empty set and -' maps every concept name A € C to a set A! C Al, and 
every role name r € R to a relation r! C A! x Al. This mapping extends to all 
concept descriptions as follows: 


T= A! lg 
(CAD) = C'n D! (Cv DY = C'U D! 
(Sr.0)" = {d € A! | Je((d, e) er & e € C") (40) = Alc! 
(Vvr.C) = {d€ A | Ve((de) Er 25ecec) 


LL 


Let S be a set of individual names disjoint from C and R, such that for every 
a in S, a! € Al. For any a,b € S, any C € C andr € R, an expression of the 
form a: C (resp. (a,b) : r) is an ALC concept assertion (resp. role assertion). A 
finite set of ALC concept and role assertions is an ALC ABoz. An assertion a: C 
(resp. (a, b) : r) is satisfied in an interpretation I if a! € C! (resp. if (al, b!) € rl). 
An ALC TBozis a finite set of expressions of the form C1 = C». An interpretation 
I satisfies C, = Cz iff Cl = Cl. An ALC knowledge base is a tuple (A, T), where 
A is an ALC ABox, and 7 is an ALC TBox. An interpretation I is a model for 
a knowledge base (A, 7) iff it satisfies all members of A and 7. A knowledge 
base (A, T) is consistent if there is a model for it. An ABox A (resp. TBox T) 
is consistent if the knowledge base (A, Ø) (resp. (Ø, 7)) is consistent. 

An ALC concept definition in T is an expression of the form A = C where 
A is an atomic concept. We say that A directly uses D if there is a concept 
definition A = C in 7 such that B occurs in C. We say that A uses D if A 
directly uses B, or if there is a concept name B’ such that A uses B’ and B’ 
directly uses B. A finite set 7 of concept definitions is an acyclic TBox if 
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1. there is no concept name in 7 that uses itself, 
2. no concept name occurs more than once on the left-hand side of a concept 
definition in T. 


Checking the consistency of a knowledge base is a key problem in description 
logics, usually solved via tableaux algorithms. In the ALC case, checking the 
consistency of any knowledge base is EXPTIME-complete while checking the 
consistency of a knowledge base with acyclic TBoxes is PSPACE-complete [2]. 


2.2 Basic Normal Non-distributive Modal Logic and Its Semantics 


The logic introduced in this section is part of a family of lattice-based logics, 
sometimes referred to as LE-logics (cf. [11]), which have been studied in the 
context of a research program on the logical foundations of categorization theory 
[8-10,12]. Let Prop be a (countable) set of atomic propositions. The language £ 
is defined as follows: 


e: L|TIple^eleve|Ov|9o, 


where p € Prop, and O € G and 9 € F for finite sets F and G of unary ©-type 
(resp. O-type) modal operators. The basic, or minimal normal L-logic is a set 
L of sequents y F v, with y,w € L, containing the following axioms for every 
EF and 9 € 69: 


pF-plk*tpptpvqp^qt-p TH p ^ Uq- G(p^ q) 
pF- T qEpVq p^qE-q OLEL O(pvq)- OpV Oq 


and closed under the following inference rules: 


eprEx xtv pry xFe xF-v ve-x peru pry pry 
pra e(x/p)F v(x/p xr paw pVvwrx prop Opk op 


Note that unlike in classical modal logic, we cannot assume that O and © 
are inter-definable in LE-logics, hence we take all connectives as primitive. 


Relational Semantics. The following notation, notions and facts are from [8, 12]. 
For any binary relation T C U x V, and any U' C U and V' C V, we let T° 
denote the set-theoretic complement of T' in U x V, and 


T®[U'] := {v | Yu(u € U'2 uro)  T®[V'] := {u | Www € V 2 wTv)). (1) 


In what follows, we fix two sets A and X, and use a,b (resp. x,y) for elements 
of A (resp. X), and B,C, A; (resp. Y, W, X) for subsets of A (resp. of X). 

A polarity or formal context (cf. [13]) is a tuple P = (A, X, D), where A and 
X are sets, and J C A x X is a binary relation. Intuitively, formal contexts can 
be understood as abstract representations of databases [13], so that A and X 
represent collections of objects and features, and for any object a and feature x, 
the tuple (a, x) belongs to I exactly when object a has feature x. 
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As is well known, for every formal context P = (A, X, I), the pair of maps 


(.)': P(A) P(X) and (-)!: P(X) > P(A), 


defined by the assignments B! :— I®[B] and Y! := I(?[Y], form a Galois 
connection, and hence induce the closure operators (-)'! and (-)! on P(A) and 
on P(X) respectively. The fixed points of (-)'! and (-)!! are the Galois-stable 
sets. A formal concept of a polarity P = (A, X, I) is a tuple c = (B,Y) such 
that B C A and Y C X, and B = Y! and Y = B’. The subset B (resp. Y) is 
the extension (resp. the intension) of c and is denoted by [c] (resp. ([c]). It is 
well known (cf. [13]) that the sets B and Y are Galois-stable, and that the set 
of formal concepts of a polarity P, with the order defined by 


ci <e iff [ci] le] iff (e) € (er), 


forms a complete lattice P+, namely the concept lattice of P. 

For the language £ defined above, an enriched formal £-context is a tuple 
' = (P, Ro, Ro), where Ro = {Ro C Ax X | € G} and Ro = {Ro C 
Xx A| © € F} are sets of I-compatible relations, that is, for all O € G, o € F, 
a € A, and x € X, the sets RY [a], RO fa], RY) [a], RYP [a] are Galois-stable in 
P. For each O € G and © € F, their associated relations Ro and Ro provide 
their corresponding semantic interpretations as operations [Ro] and (Ro) on the 
concept lattice P* defined as follows: For any c € PT, 


[Role = (RPD, I [RO (()]) and (Ro)e = a [RY tag, RS” (qp). 


We refer to the algebra Ft = (Pt, {[Rao]}aeg,{(Ro)}oer) as the complex 
algebra of F. 

A valuation on such an F is a map V: Prop — P+. For each p € Prop, we 
let [p] := [V (p)] (resp. (p) := (V(p))) denote the extension (resp. intension) of 
the interpretation of p under V. 

A model is a tuple M = (F, V) where F = (P, Ro, Ro) is an enriched formal 
context and V is a valuation on F. For every e € £, we let [y]m := [V(qv)] 
(resp. (vy) m := (V(v)])) denote the extension (resp. intension) of the interpreta- 
tion of y under the homomorphic extension of V. The following ‘forcing’ relations 
can be recursively defined as follows: 


,al-p iff a € [p]w M, x > p iff x € (pw 
ial- T always M,z>T iff alx for alla c A 
pa -L always M,alF- L iff aIx for alla € X 


lal- pAw iff M,al- e and M,a lF M,zx > ypAw iff (Va € A) (M,al- pA => alz) 
lsr pyy if M, > pandM,rc> wp M,al- eV iff (Yx € X) (M,z > oV v => alz). 


As to the interpretation of modal formulas, for every O € G and © € F: 


lal- Oy iff (Vr € X)(M, zx > o > aRgx) M,z > Ow iff (Va € A)(M,a lk Op > aIr) 
l, x Op iff for alla € A,ifM,a IF v then xz Roa M,al- Op iff (Vr € X)(M,z > Op > alr) 
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The definition above ensures that, for any £-formula y, 


M,al-«iffac[e]w and Mz iff x € (vow. 


Mi-eFv if [ehwC[v]w iff (edu CE (ew. 


'The interpretation of the propositional connectives V and ^ in the framework 
described above reproduces the standard notion of join and the meet of formal 
concepts used in FCA. The interpretation of the operators O and © is motivated 
by algebraic properties and duality theory for modal operators on lattices (cf. [12, 
Sect. 3] for an expanded discussion). In [8, Proposition 3.7], it is shown that the 
semantics of LE-logics is compatible with Kripke semantics for classical modal 
logic, and thus, LE-logics are indeed generalizations of classical modal logic. 
This interpretation is further justified in [8, Sect.4] by noticing that, under 
the interpretations of the relation I as alx iff “object a has feature x” and 
R = Ro = R5! as aRz iff “there is evidence that object a has feature x”, then, 
for any concept c, the extents of concepts Oc and Oc can be interpreted as “the 
set of objects which certainly belong to c" (upper approximation), and “the 
set of objects which possibly belong to c" (lower approximation) respectively. 
Thus, the interpretations of O and © have similar meaning in the LE-logic as in 
the classical modal logic. A similar justification regarding similarity of epistemic 
interpretations of O in classical and lattice-based modal logics is discussed in [9]. 
'This transfer of meaning of modal axioms from classical modal logic to LE-logics 
has been investigated as a general phenomenon in [7, Sect. 4.3], [12]. 


3 LE Description Logic 


In this section, we introduce the non-classical DL LE-AZC, so that LE-ALC 
will be in same relation with LE-logic as ALC is with classical modal logic. 
This similarity extends to the models we will introduce for LE-ACLC: in the 
same way as Kripke models of classical modal logic are used as models of ALC, 
enriched formal contexts, which provide complete semantics for LE-logic, will 
serve as models of LE-.AZC. In this specific respect, LE-ALC can be seen as a 
generalization of the positive fragment (i.e. the fragment with no negations in 
concept names) of ALC in which we do not assume distributivity laws to hold 
for concepts. Consequently, the language of LE-AZC contains individuals of two 
types, usually interpreted as the objects and features of the given database or 
categorization. Let OBJ and FEAT be disjoint sets of individual names for objects 
and features. 

The set R of the role names for LE-AZC is the union of three disjoint sets 
of relations: (1) the singleton set {I | I C OBJ x FEAT}; (2) a set Ro = {Ro C 
OBJ x FEAT | O € G}; (3) a set Ro = {Ro C FEAT x OBJ | © € G}. While I 
is intended to be interpreted as the incidence relation of formal concepts, and 
encodes information on which objects have which features, the relations in Ro 
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and Ro encode additional relationships between objects and features (cf. [8] for 
an extended discussion). 
For any set C of atomic concept names, the language of LE-ALC concepts is: 


C := D | Ci AC | Ci VC | T | L| (Re)C | [RalC 


where D € C, Ro € Ro and Ro € Ro. This language matches the language of 
LE-logic, and has an analogous intended interpretation on the complex algebras 
of enriched formal contexts (cf. Sect. 2.2). As usual, V and ^ are to be interpreted 
as the smallest common superconcept and the greatest common subconcept as 
in FCA. The constants | and L are to be interpreted as the largest and the 
smallest concept, respectively. We do not include ^C as a valid concept name in 
our language, since there is no canonical and natural way to interpret negations 
in non-distributive settings. 

The concept names (Ro)C and [Ra]C in LE-AZC are intended to be inter- 
preted as the operations (Ro) and [Ro] defined by the interpretations of their 
corresponding role names in enriched formal contexts, analogously to the way in 
which dr and Vr in .AZC are interpreted on Kripke frames. We do not use the 
symbols Vr and Jr in the context of LE-ALC because, as discussed in Sect. 2.2, 
the semantic clauses of modal operators in LE-logic use universal quantifiers, 
and hence using the same notation verbatim would be ambiguous or misleading. 

TBox assertions in LE-ALC are of the shape C1 = C2, where C1 and C5 are 
concepts defined as above.! The ABox assertions are of the form: 


aRoz, rHRHoa, alx, a:C, mxuC, ~q, 


where o is any of the first five ABox terms. We refer to the terms of first three 
types as relational terms. The interpretations of the terms a : C and x::C are: 
“object a is a member of concept C", and “feature x is in the description of 
concept C", respectively. 

An interpretation for LE-ALC is a tuple I = (F,-'), where F = (P, Ro, Ro) 
is an enriched formal context, and -' maps: 


1. individual names a € OBJ (resp. z € FEAT), to some a! € A (resp. x! € X); 
2. relation names J, Ro and Ro to relations J', Rl and R} in F; 
3. any primitive concept D to D! € F+, and other concepts as follows: 


1! = (Xt, X) T! = (A,A!) (C1 AC2)}! = CIA C3 
(C1 V C2)! = C1 v C$ ([Ro]C)" = [Ri]C" ((Ro)C) = (RS)CT 


where the operators [R5] and (RL) are defined as in Sect. 2.2. 
'The satisfiability relation for an interpretation I is defined as follows: 


1. IE €, = C, if [CT] = [CI] ift (C3) = (CT). 


1 As is standard in DL (cf. [2] for more details), general concept inclusion of the form 
C, E C5 can be rewritten as concept definition C41 = C2 A Cs, where C3 is a new 


concept name. 
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H a: C iff al € [CI] and I E z::C iff x! € (C1). 
= aIv (resp. aRaz, x Roa) iff al Iz! (resp. a R4a!, x! Rha’). 
= ~g, where a is any ABox term, iff I F o. 


EOS m 
rH m Hn 


An interpretation I is a model for an LE-ALC knowledge base (A, T) if I E A 
and IE. 

The framework of LE-ALC formally brings FCA and DL together in two 
important ways: (1) the concepts of LE-ALC are naturally interpreted as formal 
concepts in FCA; (2) the language of LE-ALC is designed to represent knowledge 
and reasoning in the setting of enriched formal contexts. 


4 Tableaux Algorithm for ABox of LE-. ACC 


In this section, we define a tableaux algorithm for checking the consistency of 
LE-ALC ABoxes. An LE-ALC ABox A contains a clash iff it contains both 8 
and —( for some relational term f. The expansion rules below are designed so 
that the expansion of A will contain a clash iff A is inconsistent. The set sub(C) 
of sub-formulas of any LE-ALC concept name C is defined as usual. 

A concept name C" occurs in A (in symbols: C" € A) if C" € sub(C) for some 
C such that one of the terms a: C, z::C, ^a : C, or ^x::C is in A. A constant 
b (resp. y) occurs in A (b € A, or y € A), iff some term containing b (resp. y) 
occurs in it. 

The tableaux algorithm below constructs a model (IF, -!) for every consistent 
A, where F = (P, Ro, Ro) is such that, for any C € A, some ac € A and zc € X 
exist such that, for any a € A (resp. any x € X), a € [C!] (resp. x € (C)!) iff 
alrc (resp. acIx). We call ac and xc the classifying object and the classifying 
feature of C, respectively. To make our notation more easily readable, we will 
write anc, zac (resp. aoc; Loc) instead of atg,1c; L[Rajc (resp. a(g,)c, T(Ro)C) 
Moreover, for every Ro € Ro and Ro € Ro, we will also impose the condition 
that a € |[Ro]C] (resp. x € ((Ro)C]) iff aRozc (resp. eRoac), where ac and 
xc are the classifying object and the classifying feature of C, respectively. Note 
that we can always assume w.l.o.g. that any consistent ABox .A is satisfiable in 
a model with classifying objects and features (cf. Theorem 3). 


Algorithm 1. tableaux algorithm for checking LE-ALC ABox consistency 
Input: An LE-AZC ABox A. Output: whether A is inconsistent. 
1: if there is a clash in A then return “inconsistent”. 
2: if no expansion rule is applicable to A then return “consistent” . 
3: pick any applicable expansion rule R, apply R to A and proceed recursively. 


Below, we list the expansion rules. The commas in each rule are metalinguistic 
conjunctions, hence every tableau is non-branching. 
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Creation rule Basic rule Rules for T and L 
For any C € A b:C, yd T it 
ac:C, two: create I bly b:T gib 
Rules for the logical connectives 
b:C4VCo9, y:Ci, y:C23 b:C4 A C2 y : C1 V C2 
VA AA VX ——————— 
bly b:Cy, b:C2 yui yuCeg 
y:uCyACeg, b: Cy, b:C»2 b:[Rn]C, yu yu(Ro)C, b:C 
^x o 
bly bRoy yRob 
Adjunction rules 
" @b:C By: C A bRoy yRob 
adja adjo Ra Ro 
b:[Ra]C (Ro)C :y @bly, bIOy Obly, billy 
Basic rules for negative assertions Appending rules 
a(b: C) a(x i: C) bIro acly 
b or XC ac 
a(bIxq) a(agIz) b:C yar? 


In rules T and L, b and y are any objects or features occurring in the tableau. 
In the adjunction rules the individuals $b, Ob, Oy, and Wy are new and unique 
for each relation Ro and Ro, except for Cao = aoc and Ure = rac. 

The basic rule and the logical rules for the connectives encode the semantics of 
the logical connectives in LE-ALC. The creation rule makes sure that, whenever 
successful, the algorithm outputs models with classifying object ac and feature 
Cg for every concept name C € A. The adjunction rules imply that every Ro € 
Ro and Ro € Ro are I-compatible. Appending and negative assertion rules 
encode the defining property of classifying objects and features of concepts. 


Remark 1 (Branching). Note that no expansion rule above involves branching. 
Thus, unlike tableaux algorithms for ALC, Algorithm 1 does not involve any 
branching. New elements are added to A only via adjunction and creation rules. 


Example 1. Let A = {b : [Ro]|Ro]C1,b : [Ro]|Ro]C2,y:[Ro](C1 ^ C2), 
-(bRoy)}. It is easy to check that A has no LE-ALC model. The algorithm 
applies on .A as follows (We only do the partial expansion to show that the clash 
exists): 


Rule Premises Added terms 

Creation zoc,:iRao]Ci, zoc: |Ro]C2, £C ^AC3::C1 A C2 

a too; {RolCi, b:[Ra](Ra]Ci bRaxac, i—1,2 
Ro bRo tac; $bIxac; 121,2 
Appending|$bIzac, $5 : [Ra]Ci i1—1,2 


By applying the same process to $5 : |Ro]C1, $6 : [Ro]C2 and zac, ::[Ra]C3, 
Loc,::[Ro]C2, we add the terms $45 : C1 and $45 : C2 to the tableau. Then the 
further tableau expansion is as follows: 
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Rule Premises Added terms 

Ax XC, AC3::C1 ^ Ca, OOD: C3, $90: Co, $90 : Cil OObI 20, c, 

Appending |$9bIxc, ^c; $905: C1 ^C» 

adja (twice) Cx ye) $ Cy ^ C5 b: [Ro][Ro] (C1 ^ C3) 
b: [Ra] [Ra ](Ci ^ C2), y:[Ra](Ci ^ C2) bRay 


Thus, there is a clash between =(bRoy) and bRoy in the expansion. 


Example 2. Let A = {7(bIy), y::C1, 7(b : C2), b : Cy V Co, bRoy}. The following 
table shows the tableau expansion for A. Let W := (C1, C5, C1 V C5]. 


Rule Premises Added terms 

Initial —(bIy),y::C1, (b : C2),b: C1 V Co, bRoy 
Creation ac : C,zcuC,C E W 

Basic ac : C, xc::0, C E€ W acixc,C €W 

Appending aoc, Izc,vcs; ac4I10, vos |ac, : C1 V Co, ac, : C1 V Ca 

Vx SO,vCc»:C1 V C2 SC1vC3 C31, LoyvceuC2 

Basic ac, :C1 V C2, zc,vo3::C1 ac, Irci vos 

Basic acz::C1 V C2, zc,v03::C1 [ac IT&C, vos 

Ra bRay bly, bIOy 

b -(b s C1) a(blac, 


Note that no expansion rule is applicable anymore. It is clear that the 
tableau does not contain any clashes. Thus, this ABox has a model. By the 
procedure described in Sect.4.2, this model is given by Ro = {Ro}, Ro = 
{Ro}, A = (ac,,46,, ac, vc, 0, 95). X = (ze, 20, LC VCs V. y}, I = 


{(ac, xc)cew; (aci, 0,vo,); (ac, Xo, vos). (9b. y), (b, y)}, Ro = {(b,y)}, 
Ro = Ø. 


4.1 Termination of the Tableaux Algorithm 


In this section, we show that Algorithm 1 always terminates for any finite LE- 
ALC ABox A. Since no rule branches out, we only need to check that the number 
of new individuals added by the expansion rules is finite. Note that the only 
rules for adding new individuals are the creation and adjunction rules. The 
creation rules add one new object and feature for every concept C occurring in 
the expansion of A. Thus, it is enough to show that the number of individuals 
and new concepts added by applying adjunction rules is finite. To do so, we will 
show that any individual constant introduced by means of any adjunction rule 
will contain only finitely many modal operators applied to a constant occurring 
in A or added by the creation rule and any new concept name added will contain 
finitely many O and © operators applied to a concept occurring in A. 


Definition 1. The O-depth Op and O-depth Op of C is defined as follows: 
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: Hi C is an atomic concept, then Op(C) = Up(C) = 0; 
Op((Ro)C) = Op(C) +1 and Op((Re)C) = On(C); 
; = Op(C) and Op([Ro]C) = Op(C) +1; 
. Op(C4 V C2) = max(Op(C1), 9p(C3)) and p(Ci V C2) = min( p(C1), 


T. C5 t on 
oe. 
9 
=. 
B. 


5. ODl A C2) = min(Op(C1), 9p(C3)) and p(Ci ^ C2) = max( p(C1), 


Definition 2. The D-depth Up and O-depth Op of any constants b and y are: 


. bye A p(b) od p(y) = O»(y) = 0; 


plac) = E — 0, Op(ac) = —On(C), and üp(zc) = m 
3. Op(b) = On(b) + 1, Ap(Ob) = O(b), Op($b) = O»(b), Op(Ob) = RN RU 
4. Op(Oy) = »(y)- 1, Op(Qy) = On(y), Gp(lily) = Only), C» (My) = On(y) +1. 


The following lemma is key to give bounds on the O-depth and ©-depth of 
new concept names added in a tableau expansion. 


Lemma 1. For any individual names b,y and for any Ro € Ro, Ro € Ro, 


1. If bRay is added to a tableau expansion, but bRoy € A, then b : [Ro]C and 
y:C already occur in a previous expansion of A for some C. 

2. If yRob is added to a tableau expansion, but yRob Z A, then y::(Ro)C and 
b: C already occur in a previous expansion of A for some C. 

3. If bly is added to a tableau expansion by any rule other than the adjunction 
rules Ro or Ro applied to some term occurring in A, then the tableau can 
(and hence, if A is consistent, it will at some point) be expanded with the 
terms b: C and y::C (in zero or more steps) for some C. 

4. If bIy is added to the expansion as described in the previous item, then either: 
(i) The terms b : C and y::C’ occur in some previous expansion of A for 

some C, C" such that Op(C) = 9p(C") and Up(C) = Up(C’). 

(ii) b = 4d (resp. b = Od) for some d, and the terms d : [RolC and y::C 

(resp. y::(Ro)C and b : C) occur in some previous expansion of A for 
some C. 

(iii) y = Ww (resp. y = Ow) for some w, and the terms w::(Ro)C and b: C 
(resp. b : |Ra]C and w::C) occur in some previous expansion of A for 
some C. 

5. If 6: C is added to the tableau by some expansion rule, there is d : C". s.t. 
(i) d: C' € A or is added by applying the creation rule. 

(ii) b is obtained by applying some finite combination of © and & to d. 

(itt) Oop(C') + Op(d) < Op(C) + Oop(b), and D(C) + p(b < D(C’) + pld). 
6. If y::C is added to the tableau by some expansion rule, there is w::C" s.t. 
(i) w::C" € A or is added by applying the creation rule. 
(ii) y is obtained by applying some finite combination of O and M to w. 

(iii) Op(C) + €p(y) € €»(C') * €»(w), and Op(C") + Op(w) < Op(C) + Op(y). 
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Proof. Items 1 and 2 follow from the observation that new terms of the type 
bRoy and yRob are only added through the expansion rules for terms of the 
forms b : [Ro]C and y::(Ro)C, respectively. 

For item 3, the cases where bly is introduced with the expansion rules for 
b: C or y::C are straightforward. If the expansion rule for y::C1 A C2 is applied, 
then from the term zc,4c,::C1 ^ C2 we can get bIxc, Ac, (since both b : Cy and 
b : C2 must be present), finally obtaining b : C1 ^ C» from the appending rule. 
The b : C1 V Ch case is analogous. The only other rule that can add bly is the 
adjunction rule. However, note that this can only happen if yRob or bRoy is 
present. By item 1, if the term b Ray is added then b : [Ro]C and y::C are in the 
tableau and it also adds the terms $61y and b/Oy. Note that since b : [Ra]C and 
y:C are in the tableau, $b: C and Oy::[Ro]C must also be in it. The first term 
can be obtained from b : [Ro]C adding bRoxc to the tableau and applying the 
adjunction rule and then the appending rule. Using the fact that aoc : [Ro]C 
is in the tableau after applying the creation rule, Oy::[Ro]C can be obtained 
similarly. Therefore, the required condition is satisfied for both @bly and bIUOy. 
We can deal with the terms of the form y Rob analogously. 

For item 4, the only non-trivial case is when $61y, bJOy or Obly, bIWiy are 
added via an adjunction rule. In the first case, b. gy must be present, meaning 
that item 1 is applicable and hence for some C, both b : [Ro]C and y::C appear 
in the tableau, satisfying the thesis. The other case is treated analogously. 

We prove items 5 and 6 by simultaneous induction on the number of expan- 
sion rules applied. The rules which can add new terms of the form b : C and 
y:C are the expansion rules for terms of the form b : Cy ^ Co, y::Cy V Co, the 
appending rules, and the adjunction rules. 

If b : C is obtained from b : CAC", either the latter is present in the original 
tableau and the thesis follows trivially, or the induction hypothesis applies and 
it follows by transitivity. The case where y::C comes from y::C V C" is analogous. 

If b : [Ro]C is obtained from $b: C via an adjunction rule, then it suffices to 
apply the induction hypothesis to $b : C, noticing that no black operators can 
appear in the starting tableau. The adjunction case for y::(Ro)C is similar. 

Without loss of generality, we only treat the case where the appending rule 
is used to add a term of the form b : C. Notice that for the appending rule to be 
applicable we must have bl xc in the tableau. Then by item 4, either: 


(i) There exist terms b : Cı and zc::C5 in the tableau such that Op(C1) = 
Opn(C3) and pn(Ci) En p(C5). 
(ii) b = 4d (resp. b = Od) for some d, and there exist terms d : [Ro|C2 and 
x 0::C3 (resp. zc: (Ro)C» and b : C2) in the tableau for some C5. 
(iii) zo = Mw (resp. zc = Ow) for some w, and there exist terms w::(Ro)C» 
and b : C2 (resp. b : [Ro]C2 and w::C2) in the tableau for some C5. 


In case (i), if C = Co, the thesis follows easily, else we apply the induction 
hypothesis to zc::C3 to find a term w::C in the original tableau such that 


Op(Ci) = Op(C3) + €p(zc) € €»(C2) + p(w), (2) 
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p(C4) + Op(w) € Up(C2) + Up(zc) = Up(C1) — Up(C), (3) 


where zc is obtained by applying n O-operators to w for some n (note that zc 
can not be obtained by application of Mi-operators). Thus, we have w = zc, 
such that C = [Rg]i:-: [Ro], 3. Since zc,::C5 is in the original tableau, it 
must have been added by a creation rule, meaning that C^ = C3. Thus, we have 
p(w) = -Up(C$), Op(w) = 0, Op(C2) = Op(C), and Op(C2) = Op(C) — n. 
Using these equalities in (3) and (2) we obtain 


Op(Ci) + p(b) < Op(C) + ©p(b) and D(C) + p(b) < p(Ci) + p(b). 


Thus, if b : C1 € A, then it is the witness we needed, otherwise it is sufficient to 
apply the induction hypothesis to b : C1, and the result follows by transitivity. 

In case (ii), suppose d : [Ra]C2 and zc::C» are both in the tableau. If C = Co, 
then the proof follows easily applying the induction hypothesis once to b : C5 if it 
is not in the original tableau. Otherwise, we can apply the induction hypothesis 
to zc: (Ro)C», obtaining, by the same argument as in case (i), Op(C2) € Op(C) 
and Op(C) € Op(C2). Therefore, 
Op([Ra]C2) - Op(d) = Op(C2)+On(d) = Op(C2)+ On(d) < Od(C)+On(0), 
ze + Bp(b) € Op(C2) + Op($d) = Op(C2) + Op(d) + 1 = Op([Ro]C2) + 
p(d). 

Thus, if d : [Ro]C2 € A, then it is the witness we need; otherwise, it is 

sufficient to apply the induction hypothesis a second time to d : [Ro]C2, and the 
result then follows by transitivity. The proof for the remaining subcase, where 
b : C' and zc: (Ro)C' are both present in the tableau, is done similarly. 

The proof for case (iii) is analogous to (ii) and therefore omitted. 


Definition 3. The O-depth (resp. ©-depth) of an ABoz A is 
p( A) = max{Op(C’) | C’ € A} (resp. Op(A) := max(Op(C") | C' € A]. 


Corollary 1. Let C be any concept name added to the tableau expansion at 
some step. Then Op(C) € Up(A), and Op(C) € Op(A). 


Proof. By item 5 of Lemma 1, for any b : C added to the tableau we must 
have another term d : C" in A or added by a creation rule, such that Op(C) < 
p(C)--Up(b) € Up(C’)+OUp(d) = Op(C’). The first inequality holds because 
p(b) is always non-negative, and the equality follows from the fact that, as d is 
in the original tableau or added by a creation rule, its O-depth is zero. The proof 


for the O-depth can be shown in a similar manner using item 6 of Lemma 1. 


Definition 4. For any concept ABoz term of the form t 2 a: C or t = 2::C, 
size(t) = 1+ |sub(C)|. For any relational term B, size(3) = 2. For any LE-ALC 
ABoz A, size(A) = Vie, size(t). 


Theorem 1 (Termination). For any ABoz A, the tableaux algorithm 1 ter- 
minates in a finite number of steps which is polynomial in size(.A). 


Proof. New individuals are added to the tableau only in the following ways: 
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(1) individuals of the form ac or zc can be added by creation rules; 
(2) individuals of the form Oy, Wy, ©b, and $5 can be added through the expan- 
sions rules for bRox and yRoa. 


As to (1), by Corollary 1, the O-depth (resp. O-depth) of any C appearing in 
an expansion of A is bounded by Op(A) (resp. ©p(A)). Moreover, no new 
propositional connective is ever added to create a new concept name in any of the 
rules. Therefore, the total number of concept names occurring in an expansion of 
A is bounded by size(.A) « (Lip (.A) -- 9 (.4)). Thus, only finitely many constants 
of type (1) can be added. 

For (2), for any individual name b added by some expansion rule, b occurs in 
b : C for some C. By Lemma 1 (5), there is a term d : C' € A s.t. 


p(b) + Op(C) < Up(d) + Op(C") = üp(C"). 


Therefore, Op(b) is bounded by Op(A). On the other hand, by item 6 of the 
same lemma we also have 0 € Op(C") + Op(d) € Op(C) + Op(b). 

The first inequality follows from the fact that d € A, and thus Op(d) = 0 
or d = ac, and thus Op(d) = —Op(C’). Therefore, we must have —Op(C) < 
Op(b), meaning that Op(b) is bounded below by —Op(.A). Thus, the number 
of connectives © and € in b is bounded by Op(A) + Op(A). Repeating the 
same argument for the individual names of type y, the total number of new 
constant names occurring in an expansion of A is bounded by size(.A) * (D. (.A) - 
Op(.A)). Thus, only finitely many constants of type (2) are added. Overall, the 
size of the tableau expansion (and hence the model) is O((size(.A) * ( D(A) + 
©p(A))? * (Rol + |Rol)). Since the tableaux algorithm for LE-ALC does not 
involve any branching, the above theorem implies that the time complexity of 
checking the consistency of an LE-ALC ABox A using the tableaux algorithm 
is Poly(size(.A)). 


4.2 Soundness of the Tableau Algorithm 


For any consistent ABox A, we let its completion A be its maximal expansion 
(which exists due to termination). If there is no clash in A, we construct a model 
(F,-') where A and X are the sets of names of objects and features occurring 
in the expansion, and for any a € A, x € X, and any role names Ro € Ro, 
Ro € Ro we have alx, aRgz, zRoa iff such relational terms explicitly occur 
in A. Let F = (A, X, I, Ra, Ro) be the relational structure obtained in this 
manner. We define an interpretation I on it as follows. For any object name a, 
and feature name z, we let a! :— a and x! := x. For any atomic concept D, we 
define D! = (xp',ap!). Next, we show that I is a valid interpretation for LE- 
ALC. To this end, we need to show that F is an enriched formal context, i.e. that 
all Ro and Ro are I-compatible, and that D! is a concept in the concept lattice 
P+ of P = (A, X, I). The latter condition is shown in the next lemma, and the 
former in the subsequent one. 


Lemma 2. zH = = al, and all = = gl for any D € C. 


Non-distributive Description Logic 63 


Proof. By the creation rules, we always have ap : D and xp::D in A, meaning 
that the tableau can be expanded with apIxp. Therefore, we always have sH c 
al. Suppose aply and bIxp for some y € X, b € A. Then by the appending 
rules we have y::D € A. This along with blap € A immediately implies bly € A. 
'Thus, we also have al, c gi . We can prove the other equality analogously. 


Lemma 3. All the relations Ra € Ro and Ro € Ro in F = (P, Ro, R5) are 
I-compatible. 


Proof. We need to show that for any b € A and y € X, and any O € G and 
© e F, (1) RÉ?[y] = (Gy)!, (2) RS] = (€5)!, (3) RE? [b] = (90), and (4) 
RY [y] = (My)!. We prove only (1) and (2). The proofs for (3) and (4) are 
analogous. 


1. For any b € A, if bRoy € A, then bIUy can be added by the adjunction rule, 
and thus RY [y y). If bRay € A, then bIOy is not added by applying 
adjunction rule to some bRoy in the original tableau. Thus, by item 1 of 
Lemma 1, b : C,Oy::C € A. Since Oy::C can only be added by the appending 
rule if acIUy € a and since this term can only be introduced by applying 
the adjunction rule to the term @acIy, some concept C” exists such that 
$aoc : C', y::C' € A (again by item 3 of Lemma 1). Then by the adjunction 
rule we have ac : [Ra]C' € A. Since b : C, rocr:C, and y::C’ are all in A, 
bIzac and b : [Ro]C" must be in it as well. This, along with y::C’ € A, 
ensures that bRoy is added to the tableau expansion at some step, and we 
can conclude that (Gy)! C RP [y], as desired. 

2. For every b € A, if bRay € A, then by the adjunction rule we add $bIy. 
Thus, RY [o] C (b)!. If bRoy € A, then by item 1 of Lemma 1, some terms 
$5 : C and y::C must occur in A for some C. So we have y::C and (by an 
adjunction rule) b : [R5]C, and hence bRay must occur in A. So @bly € A 
implies bRoy € A. Thus, ($5)! C RG fb], as desired. 


In 
~ 


From the lemmas above, it immediately follows that the tuple M = (F, -!), with 
F and -! defined at the beginning of the present section, is a model for LE-ALC. 
The following lemma states that the interpretation of any concept C in the model 
M is completely determined by the terms of the form blag and acly occurring 
in the tableau expansion. 


Lemma 4. Let M = (F,-!) be the model defined by the construction above. Then 
for any concept C and individuals b, x occurring in A, 


(1) be [C] iff blac € A (2) x € (Chu iff aclz € A. 


Proof. By induction on the complexity of C. The base case (when C is atomic) 
is immediate by the construction of the model. For C = T, by rule T, and zz: T 
from the creation rule, bler € A for any b € A. Therefore, zl. = A = [T]. For 
item 2, for any y, and if arly € A, then by the appending rule y::T € A. Then 
by T and the basic rule bIy € A for all b. Thus, (T) = A! Cat. M if 
y € (7), then bly € A for any b. In particular arly € A. Thus, ((T]) = a+. The 
proof for L is analogous. For the induction step, we have four cases. 
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Suppose C = Cı V C2. For the first claim, notice that b € [Ci V C2] iff 
Vy(y € (Ci) n (C2) = bly). By the induction hypothesis, this is equivalent 
to 


Vy(y:C4 € A & y:Co € A => uy € A). 
By the creation rule for C4 V C2, we have zxc,vo,::C1 V C2, and consequently 
both zc,vc4::C1 and ze,vo,::C9 are added to the tableau. Thus, if the con- 
dition y::C, & y::C2 => bly is satisfied for any y in A, then bIrc, vo, € A. So 
b € [Ci V C5] implies that bIzc,vc, € A. Conversely, if bIxc, vc, € A, then 
by the appending rule b : C4 V C5 € A. Thus, for any y: C, and y::C» € A, 
bly € A due to rule V4. Hence, bIxzc, vc, € A implies 


Vy(y::C1 € A & y:Co € A => bly € A). 
As observed before, this is equivalent to y € (C4 V C5], as desired. 


For the second claim, notice that z € (C1 V C2) iff x € (Ci) and x € (Co). 
By induction hypothesis, this is equivalent to z::C1 and z::C2 occurring in A. 
By the creation rule for C1 V C5, ac, vo, : C1 V C3 € A. Since z::C4,2:C5 € A, 
we have ac,vc,Ir € A by the rule Vx. Conversely, if ac,vc,Iv € A, then 
2::C4 V C2 € A by the appending rules, which implies z::C4,2::C3 € A, or 
equivalently, x € (C; V C5]. 


. The proof for C = C ^ C3 is similar to the previous one. 
. Suppose C = [Ro]C1. For the first claim, note that b € [[Ra]Ci] iff Vy(y € 


(C1) = bRoy). By induction hypothesis, this is equivalent to Vy(y::C, € 
A => bRoy € A). Since zo,::C1 € A, by the creation rule for Ci, it follows 
that bRowc, € A. By the adjunction rule, this implies bI = bIznoc, € A. 
Conversely, if bIzpc, € A, then by the appending rule mo 3 : [RolCy € A. 
That is, for any y, if y::C1 € A, then bRoy € A by the expansion rule for O. 
As observed before, this implication is equivalent to b € [[Ra]Ci], as desired. 


For the second claim, notice that y € ([Ro]Ci) iff Vb(b € [Ro]C1 => bly). 
Equivalently (as proved previously), for all b, if b : [Ra]Ci € A, implies 
bly € A. Combining this with the fact that the creation rule for [Ro|C; 
implies asc, ::[Ro]C, € A, this implies that anc, Ty € A as well. Conversely, 
suppose anc, Iy € A. Then for any b, if b : [RoJC, € A, then bly € A. This 
is equivalent to y € ([Ra]Ci]. 

The proof for C = (Ro)C; is similar to the previous one. 


Theorem 2 (Soundness). The model M = (F,-!) defined above satisfies the 
ABoz A. 


Proof. We proceed by cases. 


1. 
2. 


By construction, M satisfies all terms of the form bRoy, bly, or yRob in A. 
By construction, any relational term is satisfied by M iff it explicitly occurs in 
A. Thus, either M satisfies all terms of the form =(bRoy), ^(b1y), or ^(yRo) 
occurring in A, or some expansion of A contains a clash. 
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3. For the terms of the form b : C, y::C, a(b: C), or a(y::C), we have b € [C] 
iff blac € A, and y € (C) iff acIy € A (Lemma4). For any b : C, y:C, 
—-(b : C), or ^(y::C) occurring in A, we respectively add blac, acly, ^(bIxc), 
or =(ac Ty) to A via the expansion rules, and thus M satisfies the constraints. 


'The following corollary is an immediate consequence of the termination and 
soundness of the tableau procedure. 


Corollary 2 (Finite Model Property). For any consistent LE-ALC ABoz 
A, some model of .A exists the size of which is polynomial in size(.A). 


Proof. The model M of Theorem2 is the required witness. The polynomial 
bound on the size of M follows from the proof of Theorem 1. 


4.3 Completeness of the Tableau Algorithm 


In this section, we prove the completeness of the tableau algorithm. The following 
lemma is key to this end, since it shows that every model for an LE-ALC ABox 
can be extended to a model with classifying object and features. 


Lemma 5. For any ABoz A, any model M = (F,-!) of A can be extended to 
a model M' = (F’,-") such that F' = (A', X',I',(RS]aeg, (R5]oez), A € A’ 
and X C X', and moreover for every OEG and O € £F: 


1. There exists ag € A and zo € X’ such that: 


O = (FO we], Oa), ac El] «ee (c). (4 
2. For every individual b in A there exist Ob and $b in A’ such that: 


I'O[et] = RS? [E] and [Oo] = R W], (5) 


3. For every individual y in X there exist Oy and Wy in X' such that: 


VO (my) = ny] and [Oy] = RL? y". (6) 


4. For any C, [C!] = [C"] n A and (C!) = (CT) n X. 


Proof. Fix O € G and © € F. Let M’ be defined as follows. For every concept 
C, we add new elements ac and zc to A and X (respectively) to obtain the sets 
A’ and X'. For any J € (I, Ro}, any a € A’ and x € X’, we set aJ'x iff one of 
the following holds: 


1. a € A, x E€ X, and aJz; 

2. x € X, and a = ac for some concept C, and bJz for all b € [C1]; 

3. a € A, and x = zc for some concept C, and aJy for all y € (C1]; 

4. a = ac, and x = zc, for some C1, C5, and bJy for all b € [C1], and y € (C1). 


We set «Ra iff one of the following holds: 
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l a € A, x E€ X, and rRoa; 

2. x € X, and a = ac for some concept C, and zRob for all b € [C1]; 

3. a € A, and x = zc for some concept C, and yRoa for all y € (C!]); 

4. a = ac, and z = zc, for some C1, C2, and yRob for all b € [Cl], y € (CS). 


For any b € A, y € X, let $b = Go(el(b)); ob = AQ (el(b)) By = LO(el(y))s and 
Y = La(el(y)), Where cl(b) (resp. cl(y)) is the smallest concept generated by b 
(resp. y). For any C, let CU = (1! [xc], I’M [ac]). Then M' is as required. 


Theorem 3 (Completeness). Let A be a consistent ABox and A’ be obtained 
via the application of any expansion rule applied to A. Then A’ is also consistent. 


Proof. If .A is consistent, by Lemma5, a model M' of .A exists which satisfies 
(4), (5) and (6). The statement follows from the fact that any term added by 
any expansion rule is satisfied by M" where we interpret ag, xc, $5, Ob, Oy, Wy 
as in Lemma 5. 


Remark 2. The algorithm can easily be extended to acyclic TBoxes, via the 
unravelling technique (cf. [3] for details). 


5 Conclusion and Future Work 


In this paper, we define a two-sorted non-distributive description logic LE-ALC 
to describe and reason about formal concepts arising from (enriched) formal 
contexts from FCA. We describe ABox and TBox terms for the logic and define 
a tableaux algorithm for it. This tableaux algorithm decides the consistency of 
ABoxes and acyclic TBoxes, and provides a procedure to construct a model 
when the input is consistent. We show that this algorithm is computationally 
more efficient than the tableaux algorithm for ALC. 
This work can be extended in several interesting directions. 


Dealing with Cyclic TBoxes and RBox Axioms. In this paper, we introduced a 
tableaux algorithm only for knowledge bases with acyclic TBoxes. We conjecture 
that the following statement holds of general (i.e. possibly cyclic) TBoxes. 
Conjecture. The tableaux algorithm introduced in this paper can be extended to 
check the consistency of any knowledge base (A, 7) (with possibly cyclic TBox 
axioms) in time polynomial in size(.AU 7). 

Developing such an algorithm is a research direction we are currently pur- 
suing. Another aspect we intend to develop in future work concerns giving a 
complete axiomatization for LE- ALC. RBox axioms are used in description log- 
ics to describe the relationship between different relations in knowledge bases 
and the properties of these relations such as reflexivity, symmetry, and transi- 
tivity. It would be interesting to see if it is possible to obtain necessary and/or 
sufficient conditions on the shape of RBox axioms for which a tableaux algorithm 
can be obtained. This has an interesting relationship with the problem in LE- 
logic of providing computationally efficient proof systems for various extensions 
of LE-logic in a modular manner [5,16]. 
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Generalizing to Other Semantic Frameworks. The non-distributive DL intro- 
duced in this paper is semantically motivated by a relational semantics for LE- 
logics which establishes a link with FCA. A different semantics for the same 
logic, referred to as graph-based semantics [12], provides another interpretation 
of the same logic as a logic suitable for evidential and hyper-constructivist rea- 
soning. In the future, we intend to develop description logics for reasoning in 
the framework of graph-based semantics, to appropriately model evidential and 
hyper-constructivist settings. 


Generalizing to More Expressive Description Logics. The DL LE-AZC is the 
non-distributive counterpart of ALC. A natural direction for further research is 


to explore the non-distributive counterparts of extensions of ALC such as ALCT 
and ALCIN. 


Description Logic and Formal Concept Analysis. The relationship between FCA 
and DL has been studied and used in several applications [1,4,17]. The frame- 
work of LE-ALC formally brings FCA and DL together, both because its con- 
cepts are naturally interpreted as formal concepts in FCA, and because its lan- 
guage is designed to represent knowledge and reasoning in enriched formal con- 
texts. T'hus, these results pave the way to the possibility of establishing a closer 
and more formally explicit connection between FCA and DL, and of using this 
connection in theory and applications. 
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Abstract. We provide a new sequent calculus that enjoys syntactic cut- 
elimination and strongly terminating backward proof search for the intu- 
itionistic Strong Lób logic iSL, an intuitionistic modal logic with a prov- 
ability interpretation. A novel measure on sequents is used to prove both 
the termination of the naive backward proof search strategy, and the 
admissibility of cut in a syntactic and direct way, leading to a straight- 
forward cut-elimination procedure. All proofs have been formalised in 
the interactive theorem prover Coq. 


Keywords: Intuitionistic provability logic - Cut-elimination - 
Backward proof search - Interactive theorem proving - Proof theory 


1 Introduction 


Gódel-Lób logic GL extends classical modal logic K with the Gódel-Lób axiom 
o(Oy — e) — Oy. GL is the provability logic of Peano Arithmetic PA, i.e. it 
consists of all modal formulas that are true under any arithmetical interpretation 
where Oy means “g is provable in PA” (expressed in the language of PA). 

An intuitionistic version of GL is iGL and the intuitionistic counterpart of PA 
is Heyting Arithmetic HA. For a long time, the provability logic of HA was an 
open problem and was only known to be an extension of iGL. However, Mojtahedi 
claims to have found a solution in a preprint [34] currently under review. 

Several other logics also have provability interpretations, such as modalised 
Heyting calculus mHC, Kuznetsov-Muravitsky logic KM, and intuitionistic 
Strong Lób logic iSL [14,30,32,35]. All these intuitionistic modal logics except 
mHC include the Gódel-Lób axiom and all except iGL contain the so-called com- 
pleteness axiom y — Oy. 

Important to note is that these logics are defined over the language with 
only the O-modality and without ©. In classical modal logic, © is dual to O and 
reads as consistency in the provability interpretation. However, for intuitionistic 
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modal logics, in general, © and O are not interdefinable and several choices 
can be made. Interestingly, intuitionistic modal logics defined over the language 
with only the O already reveal intrinsic intuitionistic characters. Important for 
us is the aforementioned completeness principle, also known as the coreflection 
principle. It trivializes in a classical setting, but has interesting intuitionistic 
readings. Indeed, in our setting of provability, p — Oy reads as completeness: 
‘if ọ is true then ọ is provable” (see [45] for a discussion on the completeness 
principle in extensions of Heyting Arithmetic). The coreflection principle also 
appears in intuitionistic epistemic logic and lax logic (for overviews see, e.g., 
[18,32]). 

Here, we consider iSL, the minimal intuitionistic modal logic with both the 
Gódel-Lób axiom and the completeness axiom, which can also be axiomatised 
over intuitionistic modal logic iK by the Strong Löb axiom (Dp > y) > y. 
The logic iSL is the provability logic of an extension of Heyting Arithmetic with 
respect to so-called slow provability [46] and plays an important role in the 
X,-provability logic of HA [3]. 

'The Gódel-Lób axiom characterises transitive converse well-founded Kripke 
frames for GL and also for the birelational frames for iGL, iSL, and KM. Inter- 
estingly, for iSL, mHC, and KM, the modal relation is a part of the intuitionistic 
relation. This semantics plays an important role in the study of iSL, e.g. in the 
characterisation of its admissible rules [19]. A natural deduction system for iSL 
can be found in [7]. The proof systems that we focus on here are sequent calculi. 

From a proof-theoretic perspective, the “diagonal formula" Oy in the modal 
(GLR) rule for GL causes difficulties for direct cut-elimination because the stan- 
dard induction on the size of the cut-formula and the height fail. Cut-elimination 
is highly nontrivial as witnessed by decades of unsuccessful attempts and con- 
troversies before the proof by Valentini [44] was finally shown to be correct [23]. 


Ior, OY => p I, p> y> g Do 
$, 0r => op, A Doy 


In backward proof search, the (GLR) rule causes loops because OF is pre- 
served upwards from conclusion to premise. For (GLR), a simple terminating 
and complete strategy consists in applying (GLR) only if oy ¢ OF. In sequent 
calculi for intuitionistic logic, the traditional (— L;) rule, shown above right, 
can cause backward proof search to go into loops. For termination without loop 
check, various authors have independently discovered the sequent calculus G4ip 
which replaces the (— L;) rule with multiple rules, depending on the form of 
€ [12]. Iemhoff [29] developed G4-like calculi for several intuitionistic modal log- 
ics. 

Thus, in a sequent calculus for an intuitionistic provability logic, both the 
modal rule and left implication rule have the potential to cause loops and 
the modal rule can complicate direct cut-elimination! For logic iGL, van der 
Giessen and Iemhoff have developed G3iGL and G4iGL [20], providing a direct 
cut-elimination procedure for the former. The initial proof of cut-elimination for 
G4iGL was indirect, via G3iGL, but Goré and Shillito later formalised direct cut- 
elimination using the maximal height of derivations as induction parameter [26]. 


(GLR) Li) 
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Recently, van der Giessen and Iemhoff [21] developed two sequent calculi, 
G3iSL and G4iSL, for iSL for which they provided the analogue results compared 
to G3iGL and G4iGL mentioned above. In particular, they show that backward 
proof search in G4iSL weakly terminates: there exists a terminating (and com- 
plete) backward proof search strategy, namely one similar to the above-described 
for logic GL. However, not all strategies terminate on this calculus: the naive 
backward proof search strategy, apply any rule in any order, does not. 

Here, we present G4iSLt which replaces the G4iSL rules of the top row below, 
by the rules in the bottom row. As suggested by van der Giessen and Iemhoff [21], 
the new modal rule drops the explicit embedding of transitivity. But crucially, 
the new left-implication rule drops both transitivity and contraction on Oy — v 
in the left premise. The right premise S = $, OI, v = x is kept untouched: 


p, I, OL, 0Y => p p, I, OL, op > Y, O09 => » S 
p, or => ue $, ol, Dp >y >x 
$,D 09 D, I, Y, 0Y > o S 
g, ol => op $, ol, Dop >y >x 


Our results improve on the work of van der Giessen and Iemhoff [21]. First, 
our new measure ensures that the naive backward proof search strategy for 
our new calculus terminates. This is unusual for sequent calculi for provabil- 
ity logics, and especially for intuitionistic provability logics. Second, we prove 
direct cut-elimination for G4iSLt using a proof technique similar to the mhd 
proof technique [6,24]. Third, all our results are formalised in Coq and can be 
found here: https: / /ianshil.github.io/G4iSLT. We consequently contribute to the 
rapidly growing literature of formalised proof theory [1,8,9,15,17,24,26,39]. We 
also think that our work sheds light on what one might call proof-theoretic 
meta considerations. Namely, it shows the subtle consequences of rule choices on 
termination and cut-elimination. 

In Sect. 2, we introduce the preliminaries of iSL, including our calculus G4iSLt. 
Section 3 presents the admissibility of structural rules in G4iSLt. In Sect. 4, we 
prove that backward proof search in G4iSLt strongly terminates. Finally, in 
Sect.5, we directly prove cut-admissibility for G4iSL using a proof technique 
similar to the mhd proof technique [6,24]. 


2 Preliminaries 


In this section we successively present the syntax, axiomatic system, Kripke 
semantics and sequent calculus for the logic iSL. 


2.1 Syntax 


Let V = {p,q,r...} be a countably infinite set of propositional variables on 
which equality is decidable, that is Vp,q € V, we can decide whether p = q 
or-else p Æ q. Modal formulae are defined using BNF notation as below: 


q:-peV|Ll|le^eleveleoe|nuoe 
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We use the greek letters y, V, y,6,... for formulae and T, A, 9, V ... for multisets 
of formulae. We say that y is a boxed formula if O is its main connective. For a 
multiset I’, we define the multiset OF := {Ow: o € D). By the unboxing of a 
multiset OL we mean the multiset I’. 

Following Goré et al. [24,26], we encode formulae as an inductive type MPropF 
whose base case encodes V as the type nat of natural numbers because nat is 
countably infinite and equality is decidable on it. A list of such formulae then 
has the type list MPropF. The usual operations on lists “append” and "cons" 
are respectively represented by ++ and :: but Coq also allows us to write lists 
in infix notation using ;. Thus the terms y1 :: y2 :: p3 :: nil and [41] 
++ [92] ++ [93] and [Y1 ; v2 ; p3] all encode the list v1, v2, ys. 

We straightforwardly extend Dyckhoff's notion of weight of a formula [11], 
defined for the intuitionistic language, to the modal language. 


Definition 1. The weight w(y) of a formula « is defined as follows: 


w(L)- w(p) =1 
w(v V x) = wy > x) = w(v) + w(x) +1 
w(V ^x) = w) + w(x) +2 
w(Oy) = w(w) +1 


The main motivation behind this weight is to ensure that w(y — (v — x)) < 
w((y ^v) —> x), which is crucial to show termination of naive backward proof 
search on the sequent calculus G4ip for intuitionistic logic. 


2.2 Axiomatic Systems as Consequence Relations 


Traditional Hilbert calculi are designed to capture logics as sets of theorems, that 
is sets of the form (y : F p}. However, when considering logics as consequence 
relations these systems are inadequate, and notably lead to historical confusions 
about properties such as the deduction theorem [25,27]. 

Generalised Hilbert calculi manipulate expressions /' - p, where I is a set of 
formulae. They clearly distinguish between the notion of deducibility from a set 
of assumptions, versus theoremhood. They are particularly useful for identifying 
the appropriate form of deduction theorem holding for a logic [25]. Still, they 
correspond to traditional Hilbert calculi when restricted to consecutions of the 
shape () F y, as we do here. Thus, we can connect the generalised Hilbert calculus 
here to the traditional Hilbert calculus considered by Ardeshir and Mojtahedi [3]. 

The generalised Hilbert calculus iSLH for iSL, shown in Fig.1, extends the 
one for intuitionistic modal logic iK with the Strong Löb axiom (Oy — v) > y. 
We write I'l-isiu vy if T F ọ is provable in iSLH. 

Note that if we replace the premise of the rule (Nec) by I' - v we obtain an 
equivalent calculus. This is implied by the completeness axiom y — Oy and the 
holding of the deduction theorem in iSLH [18]. 
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Axioms 
Ai p> (Y > p) Ar (p^wv)— v 
Aa (e > (9 > x)) > ((e > v) > (e > x)) As (e > v) > ((e > x) > (e (9 ^x) 
As p> (e V v) As Loe 
A4 V > (e VY) Aio O(y > V) > (Bv > OY) 
As (e +x) > (6 >x) > (vV v) 2x) An (OP >) > p 
As (p^v)— e 
Rules of Inference 
is an instance of an axiom yer 
(Ax) (El) 
rg Trg 
dry Fry lF-owv 
(Nec) ————— — — — (mp) 
TE op um 


Fig. 1. Generalised Hilbert calculus iSLH for iSL 


2.3 Kripke Semantics 


We now present the Kripke semantics for iSL [3,32] to notably prove soundness 
of our sequent calculus G4iSLt, and explain its rules (SLtR) and (O —>L). 

'The Kripke semantics of iSL is a restriction of the Kripke semantics for intu- 
itionistic modal logics. More precisely, the semantic interpretation of connectives 
is preserved, but the class of models is restricted. The models for this logic are 
defined below, where for a set W, we write P(W) for the set of all subsets of W. 


Definition 2. A Kripke model M for iSL is a tuple (W, €, R, I), where W is 
a non-empty set (of possible worlds), both < (the intuitionistic relation) and R 
(the modal relation) are subsets of W x W, and I: V —^ P(W), which satisfies 
the following: < is reflexive and transitive; R is transitive and converse well- 
founded; (€ oR) C R where “o” is relational composition; R C €; and for all 


p € V and w,v € W, if w € v and w € I(p) then v € I(p). 


Note the peculiarity of the models for iSL: R C €, that is the modal relation 
is a subset of the intuitionistic relation. We recall the standard definition of 
forcing for intuitionistic modal logics, and show that persistence holds. 


Definition 3. Given a Kripke model M = (W,€,R,I), we define the forcing 
relation as follows, where v > w is just w < v: 


ML, w IF p if we€I(p) 

ML, w IF L never 

Mtwl-q«^v if M,wlF y and M,w IF% 

M,wlF ovy if M,wlFẹ or M,w lF p 

Miwlt pow if W> w. M,vl- y implies M,v IF w 
M, w lk Op if Yv € W.wRv implies M, v IF y 


Local consequence is as below where M, w | I' means Vp € T,M,w IF o: 


p iff 


= y YM Vw.(M,wlk I implies M,w IF d) 
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Lemma 1 (Persistence). For any model M = (W, €, R, I), formula y and 
points w,v € W, if w € v and M,w- v then Mv IF q. 


Interestingly, as iSL satisfies the finite model property [46] it can also be 
characterised by the class of finite frames where R is transitive and irreflexive. 


2.4 Sequent Calculus 


A sequent is a pair of a finite multiset I of formulae and a formula x, denoted 
I'— qv. For a sequent I’ => we call I’ the antecedent of the sequent and ọ the 
consequent of the sequent. For multisets /" and A, the multiset sum I W A is 
the multiset whose multiplicity (at each formula) is a sum of the multiplicities 
of I and A. We write I, A to mean I w A. For a formula o, we write q, I 
and T, to mean {p} W I. From the formalisation perspective, a pair of a list 
of formulae (list MPropF) and a formula MPropF has type (list MPropF) * 
MPropF, using the Coq notation * for forming pairs. The latter is the type we 
give to sequents in our formalisation, for which we use the macro Seq. Thus the 
sequent Y1, 2,3 = Y is encoded by the term [v1 ; 2 ; 3] * v, which 
itself can also be written as the pair ([y1 ; y2 ; q31, v). Note that [p1 
; Q2 ; p3] * v is different from [92 ; o1 ; v3] * v since the order of the 
elements is crucial, so our lists do not capture multisets (yet). 

A sequent calculus consists of a finite set of sequent rule schemas. Each rule 
schema consists of a conclusion sequent schema and some number of premise 
sequent schemas. A rule schema with zero premise schemas is called an initial 
rule. The conclusion and premises are built in the usual way from propositional- 
variables, formula-variables and multiset-variables. A rule instance is obtained 
by uniformly instantiating every variable in the rule schema with a concrete 
object of that type. This is the standard definition from structural proof theory. 


Definition 4 (Derivation/Proof). A derivation of a sequent S in the sequent 
calculus C is a finite tree of sequents such that (i) the root node is S; and (ii) 
each interior node and its direct children are the conclusion and premise(s) of a 
rule instance in C. A proof is a derivation where every leaf is the conclusion of 
an instance of an initial rule. 


Note that we explicitly define the notion of a derivation as an object rather 
than define the notion of derivability, as is done in some papers. We do so as we 
want to create a “deep” embedding of such derivations into Coq [9]. 

In what follows, it should be clear from context whether the word "proof" 
refers to the object defined in Definition 4, or to the meta-level notion. We 
say that a sequent is provable in G4iSLt if it has a proof in G4iSLt. We elide 
the details of the encodings of sequent rules and derivations, as these can be 
found elsewhere [1,39]. We define a predicate G4iSLt_prv on sequents to encode 
provability in G4iSLt. Our encodings rely on the type Type, which bears com- 
putational content, unlike Prop, and is crucially compatible with the extraction 
function of Coq. 
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Before presenting our calculus, we recall standard notions from proof theory. 


Definition 5 (Height). For any derivation à, its height h(0) is the maximum 
number of nodes on a path from root to leaf. 


Definition 6 (Admissibility, Invertibility, Height-Preservation). Let R 
be a rule schema with premises $9,..., Sn and conclusion S. We say that R is: 


admissible: if for every instance of R, the instance of S is provable whenever the 
instances of $1,..., Sn are all provable; 

invertible: if for every instance of R, the instances of 91,..., Sn are all provable 
whenever the instance of S is provable; 

height-preserving admissible: if for every instance of R, if there are proofs 9, ..., 
Tn 0f the instances of So,..., Sn then there is a proof x of the instance of 
S such that h(n) € h(m;) for some 0 € i € n; 

height-preserving invertible: if for every instance of R, if m is a proof of the 
instance of S then there are proofs To,..., nn of the instances of So,..., Sn 
such that h(m) € h(n) for all 0 € 4 € n. 


The sequent calculus G4iSLt is given in Fig.2. When defining rules we put 
the label naming of the rule on the left of the horizontal line, while the label 
appears on the right of the line in instances of rules. 


(EL a (IdP) 


L, r >x T, p= p 
ap DAY ce X ig 2? r= 
Do^wv-x D-—o^wv 
Io Iv > pi . 
Qu Pasa cnc vee (VR) Pi  (e(12)) 
IovVw--x I> iV p2 
I, p,p => Do 
ND DPX um paw 
D»pop-x Dow 
mop Seir UP $,U0Iwv-—x jets el p> 
9, Jp p wv-x È, r> p 
i T, p > (4Y >x) => ô wak Dooxvox-ó 
^ 
T, (Q^v)—x-ó I(pgvv)—x-ó 


Du—x-—ow Dx-ó 
D(owv)ox-ó 


(2L) 
Fig. 2. The sequent calculus G4iSLt, where ® contains no boxed formula. 


In (IdP), a propositional variable instantiating the featured occurrences of p 
is principal. In a rule instance of (AR), (AL), (VR;), (VL) or (>R), the principal 
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formula of that instance is defined as usual. In a rule instance of (pL), both 
a propositional variable instantiating p and the formula instantiating the fea- 
tured p > q are principal formulae of that instance. In a rule instance of (AL), 
(v 2L), (2L) or (OL), the formula instantiating respectively (p ^w) > x, 
(p VV) > x, (ep > v) —^ x or Oy — v is the principal formula of that instance. 
In a rule instance of (SLtR) or (D —L), Oy is called the diagonal formula [38]. 
'The non-modal rules are taken from the calculus for IPC for which backward 
proof search strongly terminates [11]. Keypoint is that the usual intuitionistic 
left implication rule is replaced by four implication rules depending on the main 
connective in the antecedent of the principal formula, in such a way that each 
premise is less complex than the conclusion. In particular, when considering 
the rule (—-— L), an application of the “regular” left implication rule yields the 
more complex left premise T, (p — v) — x > p — Y, which is (semantically) 
equivalent to the simpler left premise stated in rule (—-— L). 
We proceed to give semantic intuitions for the rules (SLtR) and (GL). 
The (SLtR) rule has similarities with the rule (GLR) (shown below) from 
sequent calculi for provability logics such as GL, but with two major differences: 
(1) the non-boxed formulae @ in the antecedent of the sequent are preserved from 
conclusion to premise in (SLtR), while they are deleted in (GLR); and (2) the 
formulae in OF are not preserved upwards in (SLtR), while they are in (GLR). 
S, T, DY => 9 Duho0e-ee 


S 
é,nP-ne 4m S, or => 


(GLR) 


From a backward proof search perspective, both rules correspond, semantically, 
to a “modal jump" from a point w which falsifies the conclusion $, Ol > Oy to 
a modal successor v which forces T but falsifies the succedent y of the premise. 
The underlying relation R in both logics is transitive and converse well-founded. 
Using converse well-foundedness we can assume that v is the last modal succes- 
sor making ¢ false, thus v forces Oy in both logics. Transitivity implies that v 
forces OT in both logics, so all its successors force I. But, in iSL, the underly- 
ing relation R is also persistent so v also forces 9 in iSL, but not in GL, thus 
explaining difference (1). Thanks to persistence, v forcing I implies that all its 
successors force /', meaning that v forces OF already, thus explaining differ- 
ence (2). 

The two premises of (0 —L) capture how Oy — v in the antecedent of the 
conclusion can be true. The simple case is when w is true, which corresponds to 
the right premise. The more complicated case is when w is not true, implying 
that Oy must also be not true. Now, Oy true semantically means that q is true 
in all modal successors, hence Oy not true means that i is not true in a modal 
successor. But converse well-foundedness implies the existence of a last modal 
successor where y is not true, with all its modal successors making q true. The 
left premise corresponds to this last modal successor, as it encodes that q is not 
true but Oy is true. Moreover, this last modal successor is also an intuitionistic 
successor as R C <. By persistence, this last successor must also make Oy — v 
true. But then, a simple modus ponens on Oy and Oy — w gives us v. 

Finally, we show that G4iSLt indeed captures the set of theorems of iSL. 
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Theorem 1. For all p we have: Ú Fisen v iff > q is provable in G4iSLt. 


Proof. We proved in Coq the two following results. 
(1) T Fisın vy implies there exists a finite I" C T s.t. 


I" = ¢ is provable in G4iSLt 
(2) T = is provable in G4iSLt implies [Ey 


The result (1), which relies on the admissibility of cut (Theorem 2), shows that 
G4iSLt is (strongly) complete with respect to iSLH and gives us the left-to-right 
direction of our theorem. The other direction involves the soundness of G4iSLt 
w.r.t. the local consequence shown in (2), as well as the (non-formalised) result 


of (weak) completeness of iSLH w.r.t. the local consequence obtained by Ardeshir 
and Mojtahedi [3]. a 


3 Admissible Rules in G4iSLt 


This section aims at showing that the contraction rule is admissible. To do so, 
it follows the work developed by Goré and Shillito [26] on the sequent calculus 
GL4ip for the intuitionistic provability logic iGL, which extends itself on the 
work of Dyckhoff and Negri [13] on G4ip. Most of the overall structure of the 
argument is the same as for the case of GL4ip, except for the crucial and typical 
left-unboxing rule (X), shown to be height-preserving admissible. 

Most of the results of this section are proven by inductions on the weight of 
formulae and/or height of derivations. We omit the Coq encodings for brevity. 


Lemma 2 (Height-preserving invertibility of rules). The rules (^R), 
(AL), (VD), (^ R), (p> L), (A> L), (V—> L) are height-preserving invertible. 


We present height-preserving admissible and admissible rules in Fig. 3. 

The structural rules of weakening (Wkn), contraction (Ctr) and exchange 
(Exc), are all (at least) admissible. The presence of the latter may be surprising, 
as the sequents we use are based on multisets. However, as mentioned earlier, 
our formalisation encodes sequents using lists and not multisets. So, the formal 
proof of the height-preserving admissibility of (Exc) shows that list-sequents of 
our formalisation mimic multiset-sequents of the pen-and-paper definition. In 
fact, we designed the formalisation of G4iSLt so that it admits exchange [26]. 

The rule (X) is quite typical of the logic iSL, as it reflects one of its theorems: 
the completeness axiom y — Oy. Indeed, this axiom implies that I’ entails OF, 
allowing the replacement of OL’ by I in the antecedent of a provable sequent 
while preserving provability. The height-preserving admissibility of (X) is cru- 
cially used in many places, notably Lemma 2 and the admissibility of cut. 

The height-preserving admissibility of (O —5LIR) and (—-LIR) shows 
height-preserving invertibility in the right premise of the rules (O —L) and 
des 

The admissible rule (—L) is the traditional left-implication rule. We use this 
rule to prove the admissibility of (—-—LIL), resembling the invertibility in the 
left premise of (C—L). In turn, (——.LIL) is crucial in the admissibility of (Ctr). 
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Height-preserving admissible rules 


(Exc) Io,I3,I5,I3, Ih > x (Win) r>x (B) $, ID-—x 
Io, 11, I2, I3, I4 > x ox $,D]-—x 
$, oT, I. 
icu Op +p >x TT (o v)ox-ó 
ol, y >x T,x >ô 


Admissible rules 


04 TS i om Dv-—x 
Pra erg Doowv-x 
I > —ó F= 
(SLIL) d > Y) SUUM (Ctr) us TA 
I, p, y >Y >=> xX g, r =>x 


Fig. 3. Height-preserving admissible and admissible rules in G4iSLt. 


In the following section we introduce a measure on sequents which we use to 
show that the naive backward proof search strategy for G4iSLt terminates. This 
measure could thus be used to derive the notion of maximum height of derivations 
(mhd) for a sequent, as was done in previous works [24,26]. There, the mhd 
measure was used as secondary induction measure in the proof of admissibility 
of cut. Here, we simply use the termination measure instead. 


4 Naive Backward Proof Search Terminates 


Sequent calculi enjoying cut-elimination can often be used to decide whether a 
given formula q is deducible from a given set of assumptions I” by strategically 
applying the rules “backwards” from the end-sequent /' = vy. To obtain a decision 
procedure, we require a backward proof search strategy which terminates and is 
complete, i.e. which provides a proof for any sequent provable in the calculus. 
But often, terminating complete strategies necessitate a “loop check” mech- 
anism, that stops the search if the same sequent appears twice on a branch. For 
example, the sequent calculus LJ, for propositional intuitionistic logic, only has 
a strategy with loop check as terminating complete strategy. The termination 
of these strategies is messy to reason about, as in most cases their unguarded 
version is not terminating and results in proof trees with infinite branches. 
While some calculi have terminating complete strategies without loop checks, 
like GLS for GL [24] and GL4ip for iGL [20], we consider a stronger kind of 
calculus: calculi with strongly terminating backward proof search, such as G4ip 
for intuitionistic propositional logic [12]. Backward proof search for a sequent 
calculus is strongly terminating if and only if all backward proof search strategies 
for this calculus, complete or not, terminate. This characterisation has other 
equivalent forms: (1) the naive backward proof search strategy terminates, and 
(2) there is a well-founded ordering on sequents decreasing upwards in all the 
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rules of the calculus. In contrast, backward proof search is weakly terminating if 
and only if there is a terminating complete strategy for this calculus. 

In this section we show that backward proof search for G4iSLt is strongly 
terminating. More precisely, we show that the naive strategy terminates. To do 
this, we need two ingredients: (1) a locally defined measure on sequents, and (2) a 
well-founded order making this measure decrease upwards in the rules of G4iSLt. 


4.1 Shortlex: A Well-Founded Order on list N 


We define the shortlex order, which is a well-founded order on list N, i.e. the 
set of all lists of natural numbers. 

In the following, we use < to mean the usual ordering on natural numbers. 
Let us recall the definition of the lexicographic order on lists of natural numbers. 


Definition 7 (Lexicographic order). Let n € N. We define the lexicographic 
order <j, on lists of natural numbers of length n. For two lists of natural num- 
bers [my;--+ ; Mn] and [ky;--+ ; kn], we write [my;--- ima] <p, [Exi kn] if 
there is al<j<n such that: (1) my = kp for all 1 € p< j, and (2) m; < kj. 


Note that as < is a well-founded order, then «7^, is also well-founded [36]. 
Finally, we define the shortlex order, also called breadth-first [31] or length- 
lexicographic order, over lists of natural numbers (viewed as n-tuples). 


Definition 8 (Shortlex order). The shortlex order over lists of natural num- 
bers, noted <, is defined as follows. For two lists lg and lı of natural numbers, 
we say that lo « lı whenever one of the following conditions is satisfied: 


1. length(lg) < length(li) ; 
2. length(lo) = length(I;) = n and lo «j., l1- 


Intuitively, the shortlex order is ordering lists according to their length and 
follows the lexicographic order whenever length does not discriminate. Note that 
on top of being well-founded, «& is obviously transitive. 


4.2 A (list N)-Measure on Sequents 


We proceed to attach to each sequent [ — x a “measure” O(I = x) which 
is a (finite) list of natural numbers, i.e. of type list N. For simplicity, in the 
following we consider a fixed sequent I’ = x for which we define the measure. 
'To introduce our measure, we first wish to explain why the measure used for 
GL4ip [26], acting as a substitute of the Dershowitz-Manna order [10] considered 
in Dyckhoff's article on G4ip [11], does not work for our purpose. The explanation 
of this failure justifies the modification we made to obtain the measure for G4iSLt. 
The intuition behind the measure for GL4ip and G4ip is the following: for a 
multiset we create an ordered list of counters for each weight of occurrences of 
formulae of this weight. For more details, take a finite multiset of formulae A. 
As it is finite, it contains a topmost formula of maximal weight n. We can create 
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a list of length n such that at each position m in the list (counting from right 
to left) for 1 < m < n, we find the number of occurrences in A of topmost 
formulae of weight m. Such a list gives the count of occurrences in A of formulae 
of weight n in its leftmost (i.e. n-th) component, then of occurrences of formulae 
of weight n— 1 in the next (i.e. (n — 1)-th) component, and so on until we reach 1. 
The measure for GL4ip and G4ip consisted in attaching to => x the list 
obtained by applying the above procedure on the multiset I w {x}. Call this 
function O fai- This measure fails to show termination of the naive strategy for 
G4iSLt, as it does not decrease upwards in the following application of (SLtR). 


IPEP (SLtR) 
D 


— 


We have that Ofal Op) = [1,0] because Op is the formula of maximum 
weight 2, and it is the only formula with this weight occurring in the list, while 
no formula of weight 1 appears in = Op. In addition to that, we have that 
O rai (Op => p) = [1, 1]. Consequently, we obtain O44 (2 Op) < Ofau(Op > p): 
the measure increased upwards. So, the measure used for GL4ip and G4ip cannot 
be used here. We need to define another one. 

With enough scrutinising, one can notice that in G4iSLt the principal box of 
a boxed formula in the antecedent of a sequent is a “deadweight”. More precisely, 
once a formula Oy is in the antecedent of a sequent, only two things can happen 
to its outermost box: it is either deleted (via the modal rule (SLtR) or (OQ —L)), or 
else it is preserved (through all other rules). Intuitively, this observation suggests 
that boxed formulae in the antecedent are destined to be unboxed eventually in 
the upward application of rules, without having any other effect. 

Consequently, as the top-level boxes in the antecedent of a sequent are dead- 
weights, we can think about unboxing the antecedent of = x before applying 
the procedure described above. This is precisely what we do: if I is of the shape 
Io, OL with no boxed formula in I, we define O(I' > x) to be the list of natural 
numbers obtained via the above machinery applied on the multiset Tow P1 9x]. 

For example, to compute O(O(p ^ q),p V q = q — p), we first unbox the 
antecedent of this sequent by transforming O(p ^ q) into p ^ q to obtain the 
multiset (p ^q,p V q,q — p]. Because p^ q is the only formula of maximum 
weight four, our list of length four begins with 1. Since both p V q and q — p are 
of weight three, the second element is 2. Finally, since there are no formulae of 
weights two and one, we obtain O(O(pAq), pVq > q > p) = [1,2,0,0]. Following 
this explanation, observe that the issue we faced with > Op and Op = p is now 
fixed: we first unbox Op in Op => p, hence O(Op > p) = [2] «[1,0] = O(=> op). 

Two things need to be noted about such lists. First, if no topmost occurrence 
of a formula is of weight 1 < k < n, then a 0 appears in position k in the list. 
'This is the case for the weight 2 in the last example above. Second, as no formula 
is of weight 0 we do not dedicate a position for this particular weight in our list. 
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4.3 Every Rule of G4iSLt Reduces © Upwards 


We obtain the sought after result about our measure O: it decreases upwards 
through the rules of G4iSLt on the « ordering. 


Lemma 3. For all sequents $9,54,..., Sn and for all 1 € i € n, if there is an 
instance of a rule r of G4iSLt of the form below, then O(S;) < O(So): 


Si ... Sn " 
So 


Clearly, this result implies that the naive strategy for G4iSLt terminates: any 
rule application makes the measure decrease on <, ensuring termination via 
well-foundedness of «. Thus, backward proof search is strongly terminating. 

Moreover, this lemma is quite crucial in the proof of admissibility of cut: as 
we use O(I' > x) as secondary induction measure (through well-foundedness of 
<) there, we know that we can apply the secondary induction hypothesis on any 
sequent S which is a premise of [ > x through a rule, as O(S) « O(I' => x). 


5  Cut-Elimination for G4iSLt 


To reach cut-elimination, our main theorem, we first state and prove the admis- 
sibility of the cut rule in a direct and purely syntactic way. More precisely, we 
prove that the additive-cut rule, with cut formula y, is admissible. This state- 
ment and its formalisation are given below, where I" is encoded as J'O-*1'1. 


Theorem 2 (Admissibility of additive-cut). The additive cut rule below is 


admissible in G4iSLt. 
Do go, > 


r= y 


(Cut) 


Theorem G4iSLt_cut_adm : forall o FO l1 x, 
(G4iSLt_prv (1'0-*-11,9p) * GA4iSLt prv (10**9::lI1,x)) -> 
G4iSLt_prv (J'O-«-I1,xX). 


Proof. Let dı (with last rule r1) and dọ (with last rule r3) be proofs in G4iSLt 
of I' — ọ and qo, I' => x respectively, as shown below. 


di d» 
—— — Ti —.—— T2 
I> y, l >x 
We show that there is a proof in G4iSLt of l — x. We reason by strong primary 
induction (PI) on the weight of the cut-formula y, giving the primary inductive 
hypothesis (PIH). We also use a strong secondary induction (SI) on O(I => x) of 
the conclusion of a cut, giving the secondary inductive hypothesis (SIH). Crucially, 
by using SIH we avoid the issues caused by the diagonal formula [23, 44]. 

We consider rı. In total, there are thirteen cases for r4: one for each rule in 
G4iSLt. However, we can reduce the number of cases to eight. We separate them 
by using Roman numerals and showcase the most interesting ones. 

(V) r1 = (>R) : Then rı has the following form where y = qo > qi: 
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Qo, => pı 


R) 
I'— po > $1 


For the cases where pọ — (1 is principal in rg and ra # (O—> L), or where 
ro € {(IdP),(LL)}, we refer to Dyckhoff and Negri's proof [13] as the cuts 
produced in these cases involve the traditional induction hypothesis PIH. We 
are left with seven sub-cases, but here again focus on the most interesting ones. 
(V-d) If r2 is (— L) where the cut formula is not principal in r2, then it must 
have the following form where (yo > 71) > ys, To = I. 

Po > eo > VR lo > WN Yo > 9,72 l0 >X 

£o > P1, (P > 71) 2 2 To > x 

Thus, I’ = x is of the form (yo — 71) — ys, To > x and I' > qo — y1 is of the 
form (yo > 71) > %2, To > Yo — Yı. Using the admissible rule (—LIR) on 
the latter we obtain a proof of the sequent y2, [0 > Yo — y1. Then consider the 
following proof of the sequent yı — y2, To = Yo — ^1, where the rule (——LIL) 
deconstructs the implication (yo — 71) — ^s, rule (Ctr) contracts yı — y2 and 
Lemma 2 is the invertibility of the rule (GR). 


(2L) 


(Yo = 71) > 72, To > qo v1 
EE uM RE LN ( LIL) 

Yor M1 > 72M 2 Do > Po > 91 (eia) po > 1,1 > V2, To > Yo ^ V 
Yom ^ V2, To > 901 | (40 > Q1, Yo, > V2, To > mi 
Yo. Yı > V2, Io > V1 
Jı — ya, To => yo —^ V1 


Lem.2 


SIH 


R) 


The crucial point here is to see that the use of SIH is justified, in other words, 
that O(90,71 — %2, Io > ^1)««O((wo > m) > *e,Io — x). This is the 
case as the rule applications (—C —L) and (—R) entail O(y0, %1 — %2, To — 71) 
KON > a, To > p — m) KO((% > 7) — às. 1o — x) by Lemma 3, 
hence O(4o,^4 — %2, Io > V1) K O((yo > m) — ws, Io > x) by transitivity 
of <. So, we are done. Note that the created cut could not be justified by usual 
induction on height, as the admissibility of (——LIL) is not height-preserving. 
(V-f) If rə is (n —L) with a principal formula different from the cut formula, 
then it must have the following form where Oyo > $1, 9, OI = I. 
Po > 91,71, P, 10,070 > "yo J1; P0 > 1,9, UI o > x 
go > 91,070 > 1,9, Ufo > x 

Thus, we have that [ => x and l => yo — «1 are respectively of the form 
^o — 1,0, BI o > x and Oy 1, %, Olo — Yo — v1. Using the admissible 
rule (Q—>LIR) on the latter we obtain a proof of y1, 9, UI 9 > qo — qv. Then, 
we proceed as follows by combining the proof 7 second-below with the first one. 


(=L) 


T WFO qo vi vues c eue X 
^1, 9, Io, Yo = Yo 1,2, lox ( L) 
yo > 31,9, LUI o — x 
pero > qu Do ME. wm) 
Po, yo ^ 11,9, Io, o => Qi 
mos mE CE -= (C—LIR) 
0; 1,2, OL», | Ivo = PL (R) 
po, %1, 9, Io, Yo — Pı (>R) 
^1, 9, Io, O70 > po > Yi | __ 90> PLN S, To to > iu 


^1, P, Io, Oyo > Yo 
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Note that both uses of SIH are justified here, as the last rule in the first proof is 


p 


an instance of ( 


>L) hence O(y 


Io > x) 


T , 


and O(^, P, Ip, 
(VID ri =( 


Yo — Yo) K O( 
>L): Then r 


11,8, Io, 


Yo = Yo 


Yo > V1; 9, 
is as follows, where 


11,8, 


K O( 


Yo —> 11,28, Io > x) 


Io x) by Lemma 3. 


Yo > 1,9, ue = I. 


Ip 


YO E 11,8, 


Thus, the sequents /' = x and o, I' => x are of the form 


Io 


(CL) 


"Yo: ^; 9, 


and »y,O70 — 1, 9$, Olo = x, respectively. Then, we proceed as follows. 
9,07 > *. 9, Ol — x RAT 
NP, Ip — = P, yo 9, M > X SIH 
^i, 9$, Ib, Yo = Yo 11,8, Io >x 
(ŒL) 
Yo > 77:8,0l0 > x 


Note that the use of SIH is justified, as the last rule in this proof gives us 


O(n, 8, Ip > X) < e( 


Yo —> 11,8, 


Io x) by Lemma 3. 


(VIII) r; =(SLtR): Then ¢ is the diagonal formula in r1: 


Yo 


where  — Oyo and $, OI = I’. Thus 
respectively of the form @, 


(VIII-b) If rə is ( 
yis Po, 


Y0, 0, Lo = Yo 


Io = x and 
—L) it is of the following form, where ® = 


we have that /' = x and o, I' = x are 


Yo: p, 


Io = x. We now consider rs. 


Yo > ^i, 9o. 


Yı, Po, 


Po, 


Io > x 


Yo — ^i, 9o; 


(Po; 


I > 


We proceed as follows. 


Po 


E 


TO 


(CL) 
X 


o; 


^; Bo, Io, 


Yo Yo 


Yı, Po, 


Yo —^ V1, Po, Oo 


where 7 is the first 


= Yo Ys Po, = lo = = 20 (B) 
Yo — ^1, o, Lo — Uyo 
a - 2-2-2 - --=- - (Wkn) 
Yo — ^; Bo, Lo, Uyo — Uyo T 
OMM AS DZT M TE Ee. (DGDIB) 
Y Po, Lo: Oyo => Upo o scc Ib Emm Qo yr € us 
^i; Po, Lo, Uyo = Yo 
Yo — ^, 9o, Qo; Lo — Yo 
3 Ja, Žo, Oyo, 10- po — 0.7158 h> 
Yo > V1, Po, D'Yo; 090,40 = Yo (DLIR) |. ¥0,%71,%0,070,40 — "yo | (Win) 
1, o, O00, Opo, Lo > po Po, 71, P0, yo, Ugo; To >70 sin 
^i, Po, O70, Qo, Lo = Yo 


Note that both uses of SIH are justified here as the rule application ( 


entails O(y1, $9, I9, Uyo — o) « O( 


"JO. —t J1 


O(o, o, 


Io x) « O(O%M — 1, Bo 


$ 


>L) 
Io = x) and we have 


, Bo, 


Io x) by Lemma 3. 
(VIII-c) If rə is (SLtR), then it is of the following form where x = 


Xo- 
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B, po, Lo, 0X0 = Xo 


(SLtR) 
®, (9o; Io => 0X0 
We proceed as follows. 
p, TI 
2 dn Soe. Gum $, n $. T 
9, > 9,10, 
ee cr -P0 (E) Es Yo 50 Po (Win) _ o0 2,405 -Xo = Xo. — (Wkn) 
$, Io Yo vo, $, Io, Uxo => vo po, Ugo, P, To, Uxo = xo 
zo e E (Wkn) m E e dus a ee ec ce cres PIER 
9, To, Uxo Po po, $, Io; Uxo > xo 
ap LL a a TE SIH 
Toxo > Xo esun) 
B, OTo xo 


The use of SIH is justified because the last rule in this proof ensures that 
O(9, I, 0xo > xo) < O(8, Oly => Oxo) by Lemma 3. E 


The attentive reader may have noticed that our proof technique requires the 
use of additive, and not multiplicative, cuts. Indeed, the use of SIH relies on the 
decrease of the measure ©, which is notably ensured by the upward application 
of any rule of the calculus. More generally, in the proof of admissibility if the 
cut we initially consider has /' = x as conclusion, then we can justify a cut with 
conclusion I” = x’ using SIH as long as we have a chain ro, ..., rj, of application 
of rules of G4iSLt of the following form. 


Psy 


E 
I-—x 

However, the contraction rule does not ensure the decrease of the measure O 
from conclusion to premise: it is not the case that O(T, y, > x) « O(I,o > 
x). So, this prevents us from allowing one of ro, ...,r,, above to be (Ctr). This is 
where multiplicative cuts are problematic: they most often use the contraction 
rule as follows, where [ = x is the conclusion of the initial cut and I", I" > x" 
is the conclusion of the cut we want to justify through SIH. 


IT'S. quite 


Unfortunately, the presence of the contraction rule above /' => x disallows us 
from using SIH on I’, T” = x’, as we are not ensured that the measure decreased 
between the two sequents. So, our proof technique prohibited us from using 
multiplicative cuts, forcing us to use additive ones. This observation was already 
made by Goré and Shillito [26]. 

Using our purely syntactic proof of cut-admissibility above, we easily obtain a 
cut-elimination procedure for the calculus G4iSLt extended with (cut), by simply 
repetitively eliminating topmost cuts first. To effectively prove this statement in 
Coq we explicitly encode the additive cut rule as follows: 
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(QUOr-I1 * vq) (Q0--p::D1* x) 
QUO--I1 * x) 


We encode the calculus G4iSLt + (cut) as GA4iSLt cut rules, ie. 
G4iSLt rules enhanced with (cut). Finally, we turn to the elimination of addi- 
tive cuts: 


Theorem 3. The additive cut rule is eliminable from G4iSLt + (cut). 


Theorem GA4iSLt cut elimination : forall s, 
(G4iSLt_cut_prv s) -> (G4iSLt_prv s). 


The above theorem shows that any proof in G4iSLt + (cut) of a sequent, 
ie. GAiSLt cut prv s, can be transformed into a proof in G4iSLt of the same 
sequent. As this theorem is in fact a constructive function based on Type, we can 
use the extraction feature of Coq and obtain a cut-eliminating Haskell program. 


6 Conclusion 


This paper introduces a sequent calculus for iSL, denoted G4iSLt. It is an 
improvement over the sequent calculus G4iSL from [21], because backward proof 
search for G4iSLt is strongly terminating (instead of weakly terminating) shown 
via a new well-founded measure, and cut-elimination is proved directly (instead 
of indirectly via an equivalent calculus based on G3i [21]). All our results are 
formalised in Coq in a constructive way. In turn, Coq’s extraction mechanism 
can generate a Haskell program for the cut-elimination procedure for G4iSLt. 

One of the reasons to develop G4iSLt is to use its strongly terminating proof 
search to investigate uniform interpolation, a strengthening of Craig interpola- 
tion, in the setting of intuitionistic provability logics. Typically, calculi with good 
(weakly or strongly) terminating proof search form good grounds for constructive 
proofs of uniform interpolation (see e.g. [2,5,22,28,37,41—43]). 

We also suggest to develop a countermodel construction for G4iSLt similarly 
to the one for G4iSL in [21]. Furthermore, as iSL is an intuitionistic modal logic 
only defined with O, there is the question how it can be extended by © operators. 
It is clear from the literature of intuitionistic modal logics that several choices 
can be made (e.g. [4,16,33,40,47]), so we leave this for future work. 
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Some Analytic Systems of Rules 
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Abstract. We define two simple systems of rules, i.e. calculi with a 
global condition on the order of rule instances in a proof, for the 
modal logics of shift-reflexive and Euclidean frames respectively. Cut- 
elimination, and therefore the subformula property, can be derived 
directly from the cut-elimination property of adjacent logics. We compare 
our system to the calculus of grafted hypersequents, which has previously 
been used to capture both logics. 

We then discuss an attempt to obtain similar ‘modular’ cut-elimination 
proofs in other systems of rules. This general attempt is carried out for two 
more logics, namely the modal logic of serial frames and the intermediate 
logic axiomatised by the law of the weak excluded middle. 


1 Introduction 


Among the various proof frameworks used in the investigation of nonclassical 
logics, systems of rules as introduced by Negri [16] remain relatively little stud- 
ied. Broadly speaking, a system of rules is a sequent-type calculus with a global 
correctness condition on the order in which rules may be applied; they form an 
instance of higher-level rules [20]. In [16], for example, it is shown that extending 
the sequent calculus for intuitionistic logic with the system of rules 


A, B, D > I A, B, I5 => Il 
-ansi OO). cap CHR 
rol IRE (Lin) 


D-—II 


yields a calculus for Godel Logic, i.e. the extension of intuitionistic logic by the 
linearity axiom (A — B)V(B — A). The schematic representation of the system 
above is understood as follows: Both rules (A, B)z and (A, B)n can be used in 
branches of the proof tree as long as those branches meet below in an instance 
of (Lin). By using such global conditions it is possible to capture analytically 
various logics that do not have a cutfree sequent calculus. For example, [16] 
develops systems of rules based on the labelled sequent calculus for all normal 
modal logics axiomatised by (generalised) Sahlqvist formulas. In [9] it is shown 
that proofs in the hypersequent calculus can be rewritten as particular systems 
of sequent rules, called 2-systems (and vice versa). A different use of global 
conditions is shown in [1]: By replacing the (local) eigenvariable condition in 
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first-order LK-proofs by a global condition, one obtains sound but potentially 
much shorter proofs. 

The study of cut-elimination in systems of rules is in a rather unsatisfying 
stage. In [9] the analyticity of the systems of rules is obtained, but only indirectly 
via cut-elimination in the hypersequent calculus. [16] argues that a standard 
cut reduction argument goes through in the system of rules and illustrates one 
reduction step. As already remarked in [9], the argument seems to apply only 
to rules handling atomic formulas. This restriction is possible in the labelled 
sequent calculus but is too strong in an unlabelled system. 

In the first part of this article we develop grounded proofs, a simple sys- 
tem of rules for the modal logics KT- and K5 of shift-reflexive and Euclidean 
frames respectively. These logics are of interest because their proof theory is 
less straightforward than that of other modal logics. In particular, neither shift- 
reflexivity nor Euclideanness is a simple frame property [13] which would guaran- 
tee the existence of a cutfree hypersequent calculus. The most elementary proof 
system for KT- and K5 seems to be the grafted hypersequent calculus of Lell- 
mann and Kuznets [12]. Nested [7], prefixed tableaux [14] and labelled sequent 
calculi [15] are also available. 

Our systems can be succinctly described as follows. For KT -, grounded 
proofs can make use of all rules of a sequent calculus for KT, with the proviso 
that every unsound modal rule has an instance of the rule (K) below it. For 
K5, grounded proofs can make use of all rules of a hypersequent calculus for 
S5, with the proviso that every unsound modal rule has an instance of the rule 
(MM) below it: 


propa O 
=> Ie I,» A1 An 


It is a remarkable feature of both systems that their cutfree completeness can 
be proved directly, using only the deduction theorem and the cutfreeness of the 
(hyper)sequent calculi for K, KT and S5. With these ingredients the proof is 
almost trivial for KT; for K5 we additionally have to prove a combinatorial 
lemma about hypersequent derivations. In retrospect, grounded proofs can be 
seen as proofs in the grafted hypersequent calculus that satisfy a normal form. 
We make this observation precise by defining a translation from our system into 
the grafted hypersequent calculus, thereby obtaining a new (and arguably much 
simpler) proof of cut-elimination for the latter calculus. 

In the second part of this article we explore the theme of strongly modular 
proofs of cut-elimination, i.e.: Proofs of cut-elimination that build on the cut- 
elimination property of adjacent logics (K, K'T and S5 in our example) but do 
not require knowledge about how cut-elimination for these systems was obtained. 
In other words, a proof of cut-elimination is strongly modular if it uses other 
cut-elimination theorems as ‘blackboxes’. What is the scope of strongly modular 
proofs? We show that for many logics, strongly modular proofs of cut-elimination 
are possible in a simple sequent system with a global correctness condition called 
revivability. 'This condition however is defined only abstractly, and so the use- 
fulness of said result depends on finding a simpler equivalent characterisation of 


(MM) 
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revivability. We conclude by showing two examples where such a simple charac- 
terisation is possible: The modal logic KD of serial frames and the intermediate 
logic LQ axiomatised by the law of the weak excluded middle. 


2 Preliminaries 


Modal Logics. By a modal logic we mean any set of formulas in the lan- 
guage (.L, 5, A, V, 5, L1] that contains all propositional tautologies, the normal- 
ity axiom O(p > q) — (Op — Og), and is closed under uniform substitution, 
Modus Ponens (from A and A — B infer B) and Necessitation (from A infer 
A). 
The smallest modal logic (with respect to C) is K. For any modal logic L and 
formula C, L+C denotes the smallest extension of L to a modal logic containing 
all instances of C. The table below lists some modal logics relevant to this paper, 
together with their corresponding frame condition (for proofs, see e.g. [5]). 


modal logic frame condition | first-order formula 
KT:—-K-cLp-p reflexive Vx rRe 

KT- :=K+O (Up p) | shift-reflexive VaVy.cRy —> yRy 

K5 := K + -0p — LI2L]p | Euclidean VzVyVz.rRy^cRz yRz 
S5 := K5 + Op —> p totally connected | VaVy. xRy 


The deduction theorem has to be slightly adapted for modal logics. We define 
F A :— L1... L1A (k boxes) for k > 0 and [9A := A. A modalized instance of C 
is any formula of the form L^ C where Co is an instance of C and k > 0. Then: 


Theorem 1 (essentially [10, Theorem 2). Ac K+C iff (A2) —D AcK 
for some finite set Q of modalized instances of C. 


Sequent Calculi. A sequent is a pair of finite multisets of formulas written 
I > A. Its formula interpretation is AU — VA where AQ := ~L and V0 :— L. 
We say that a sequent is valid in a logic if its formula interpretation is. 

'The propositional rules in Fig. 1 constitute a calculus LK for classical propo- 
sitional logic.! We obtain sequent calculi 


— Cx by adding the modal rule (K); 
— Cx by adding both modal rules (K) and (T). 


! The metavariables in Fig. 1 are chosen such that by enforcing |I7| = 0 and |A| € 1 
one obtains a calculus for intuitionistic logic. This will be used in Sect. 4.3. 
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(id) PoH wy) VL, CS AMM .. >A, RASA ut 
Pond X,DIA XD—AUI c) TAM (cut) 
-iy ISA ) T,A> II ) DA B>A Ke 
Hla n-A2H " TÉI-AH'" nAABSGA 7 
Ps AT r> B, IH (An) T, A> A T,B> A (vz) rs Ay it (Vr) 
TAB, II d DLAVBAA ) “TSA AAT ^ 
T,B> 4 TA, T,A=>B,A^ 

(21) (>r) 
T,A> B>A, TT r=A—>B,A^A 
r>A_ g) DASA T) 
r= 0A rOAsA 
H|T,A>4 H|>A ; D > A|... | Ia > An 
(Oi) (Ok) (MM) 
H|OAS|\rsA H |>= ODA 3,... , OF, > WA A 
IT SATSA 
— H (ew) HIRAP M 
H|TSAa H|TSA 


Fig. 1. Propositional, modal and structural hypersequent rules. 


Derivations in sequent calculi will be denoted by letters a,3. The formula A 
is said to be derivable in a sequent calculus if the sequent = A is. A sequent 
calculus is called adequate for a logic if the formulas it derives are exactly the 
theorems of the logic. Finally, a proof in a sequent calculus is cutfree if it does 
not use the rule (cut), and a sequent calculus admits cut-elimination if every 
sequent provable in it has a cutfree proof. The following is folklore: 


Theorem 2. The calculi Ck and Cxr are adequate for the modal logics K and 
KT respectively and admit cut-elimination. 


3 Two Systems of Rules 


The similarity of the modal logics KT- and K5 lies in the fact that they are 
both ‘one step away’ from their companion logics KT and S5 respectively. That 
is, in any shift-reflexive (Euclidean) frame the subframe induced by all worlds 
reachable from some fixed world is reflexive (totally connected), and therefore 
adequate for KT (S5). We formalize this observation for later reference. 


Theorem 3. Let M be a Kripke model containing a world w, and let Mu be 
obtained from M by restricting M 's frame to worlds that are reachable from w 
(using one or more steps) via the accessibility relation. Then: 


1. M,v= 9 4 Mwy,v E v for all worlds v in My and modal formulas q; 
2. If M is shift-reflexive, then My is reflexive; 
3. If M is Euclidean, then M, is totally connected. 


From this one can easily deduce the following known equivalences: 


Theorem 4. DA € KT- <= AcE KT andOAcK5 — Ac S5. 
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Theorem 4 implies that we can use the sequent calculus Ckr and the hyper- 
sequent calculus HS5 (see Sect.3.2) to derive formulas in the boxed fragment 
of KT- and K5. But it is not immediate what Theorem 4 tells us about 
the proofs of theorems in KT ^ and K5 that are not prefixed with O, e.g. 
-0p — O-Dp € K5 or ip — Op € KT 


3.1 KT 


We start by describing a simple system of rules for KT-, which is obtained by 
imposing a global constraint on Ckr-proofs. The crucial notion is the following: 


Definition 1 (grounded Ckr-proof). A proof in Cer is grounded if any 
lowermost modal inference in it is (K). 


In other words, only those instances of (T) are admitted in a grounded Ckr- 
proof that have an instance of (K) below. No exact pairing is required, i.e. the 
same instance of (K) can ‘ground’ multiple instances of (T) above it. Figure2 
(left and middle) shows two grounded Ckr-proofs with the modal rules high- 
lighted. 


pp pp —2>P ecd 
L 
pp (T) = (T) = p | Op => 
(pep © >er ~ 5p- 
=> Op > p ae ee (K) => Op p a 
EHE (K) (Op v Op) = Op —Ub»-FLfb 
= O(Op v Op) > Op Soh Soy 
-Up -0p 


Fig. 2. Grounded proofs in KT (left and middle) and in HS5 (right) 


Theorem 5 (Soundness of grounded Ckr-proofs). If there is a grounded 
Ckr-proof of D > A, then D > A is valid in KT 


Proof. It suffices to show that the conclusion of an instance of (K) in a Cgr-proof 
is valid in KT™. Indeed, as the endsequent of a grounded Ckr-proof is derivable 
from the conclusions of its lowermost instances of (K) using only propositional 
rules, it then follows that the endsequent is valid in K'T- as well.? So let 


r3A 


I -—LUA (K) 


? Note that if a grounded proof has no instances of (K) at all, then it is essentially a 
propositional proof, and so the statement is trivial. 
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be such an instance. As its premise [ = A is valid in KT, we can use the 
deduction theorem (Theorem 1) to obtain a finite set N of modalized instances 
of the reflexivity axiom Op — p such that the sequent 2, = A is valid in K. 
Then, by (K), also L12, LI? => OA is valid in K. As all formulas in O are 
modalized instances of the axiom of shift-reflexivity and therefore valid in KT", 
it follows that the reduced sequent OF => OA is valid in KT". 


Theorem 6 (Cutfree completeness of grounded Cx7-proofs). If r = A 
is valid in K'T- , then there is a grounded cutfree Cg -proof of it. 


Proof. Let T = A be valid in KT-. By the deduction theorem there is a finite 
set f2 of modalized instances of O(Op — p) such that (2, l => A is valid in 
K. We may write 2 as OQ’, where Q’ is now a set of modalized instances of 
p p. 

Consider a lowermost instance of (K) in a cutfree Ck-proof a of Q, I' => A: 


Q XSA 


K 
QUE a 


Here we assume harmlessly that OQ’ in the conclusion of (K) contains exactly 
the antecessors of 2 = OQ in the endsequent, i.e. no contraction or weakening 
has been applied to a formula in OQ’ between this instance of (K) and the 
endsequent. We now construct a cutfree grounded proof as follows. In a, replace 
the proof of the premise (for all lowermost (X) simultaneously) with a cutfree 
Cxr-proof of X = A; this is possible as every formula in f?' is valid in KT, and 
moreover KT admits cut-elimination. Apply (K) to obtain the sequent OX > 
A, and now follow the original proof downwards while removing antecessors of 
to eventually obtain Pr => A. 


3.2 K5 


The system of rules for K5 will involve a hypersequent calculus for S5, so we 
first introduce some notation. A hypersequent is a multiset of sequents written 
Di > A, |... | Tn => A, and its (modal) formula interpretation is O(A > 
VA) V... VDI(AT1 > VA). We say that a hypersequent is valid in a logic if 
its formula interpretation is. 

There are now two ways of assigning a formula to l > A, namely O(AI > 
VA) “boxed” or AI > VA “flat”, depending on whether we treat l => A as a 
one-component hypersequent or as a sequent. To avoid any ambiguity, we will 
explicitly say in this section that [ — A is flat-valid in a logic Lif AI' — VA € 
L. Otherwise, by validity of a hypersequent (possibly with only one component) 
we always mean the boxed interpretation above. In any modal logic L 2 KT 
(so in particular, S5) we have the equivalence A € L «—» OA € L and so the 
notions of valid and flat-valid coincide on sequents. However, we will work in K5 
where such an equivalence does not apply. 


Definition 2. The rules of the hypersequent calculus HS5 are as follows: 
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- Any rule of LK, applied componentwise in a hypersequent; 
- Additionally, we have rules (ew) and (ec), the modal rules (L2), (Op) (see 
Fig. 1) and the modal merging rule (MM): 


D > A|... | In => An ( 
I1: In A1,..., An 


MM) 


There are a number of slightly different hypersequent calculi for S5 (see the 
survey [3]) and any of these would be suitable for the system of rules we define 
below. We use a variant due to Restall [18] as this calculus underlies the grafted 
hypersequent calculus in [12] to which we later relate. 

The only change from [18] is that we include the rule (M M). While being 
redundant—( M M) is derivable from (L1) and (0 )—it will be useful to formu- 
late the system of rules. Note that (M M) has no hypersequent context and so 
its conclusion is always a sequent. For n = 1 the rule coincides with (K). 


Theorem 7 ([18]). HS5 is adequate for S5 and admits cut-elimination. 


Definition 3. A proof in HS5 is grounded if every lowermost modal rule in it 
is (MM). 


Figure2 (right) shows a grounded HS5-proof of the characteristic K5-axiom. 
While it is formally possible due to (ew) and (ec) that hypersequents with more 
than one component appear in the lower part of a grounded HS5-proof, it is 
easy to see that this is never necessary. We will therefore tacitly assume that 
Definition 3 is extended by the clause: ... and every hypersequent that is not 
above an instance of (M M) has exactly one component. The following Lemma 
will give us the soundness of grounded HS5-proofs. 


Lemma 1. If the premise of an instance of (M M) is valid in S5, then its 
conclusion is flat-valid in K5. 


Proof. Assume contrapositively the conclusion L1/5,..., Op > UA,,..., DA; 
is not flat-valid in K5. Then (Aiz,LI;) — (Vie4L1A;) fails at a world w of 
an Euclidean model M. In particular, there are worlds vi,...,v, accessible 


from w such that v; satisfies every formula in I; but falsifies A;. Now we use 
Theorem 3. Pick an arbitrary world v in Mw (say, v1). As Mw is totally con- 


nected, every world v1,...,Un is accessible from v. Hence O(A; — A;) fails at 
v for every i X n, and consequently so does V;z,Ll(AI; — Aj), which is the 
(boxed) interpretation of the premise I, > A4 |... | Tn = An of (M M). Since 


Mi, is totally connected, it follows that this hypersequent is not valid in S5. 


Theorem 8 (soundness of grounded HS5-proofs). If there is a grounded 
HS5-proof of IT => A, then I => A is flat-valid in K5. 


Proof. Similar to the proof of Theorem 5. The endsequent I’ = A of a grounded 
proof is derivable from the conclusions of instances of (M M) using only propo- 
sitional inferences. As these conclusions are flat-valid in S5 by Lemma 1, the 
same follows? for I' 2 A. 


3 Note that propositional rules preserve both validity and flat-validity. 
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We now turn to the cutfree completeness of grounded HS5-proofs. This will 
again be derived from the deduction theorem and cut-elimination for Ck and 
HS5. The situation in K5 is more complicated than in KT™ for the following 
reason: The outermost connective of the axiom O(Op — p) is a O, and thus the 
first (read bottom-up) rule that will be applied to it when used as an assumption 
in a Ck-proof is (K), i.e. the very rule that separates the top from the bottom 
part in our system of rules. In contrast, the outermost connective of —[]p — 
—^Llp is >. So if we follow an occurrence of the axiom upwards in the proof, it 
will first be split into two different parts Op and Up via (— 7r) and (^g) that 
only later encounter a modal rule. Thus at the part of the proof where we want 
to introduce the rule (M M) to obtain a system of rules, the constituent formulas 
of the axiom instances have been scattered among the branches of the Cx-proof. 
In a first step, we use the hypersequent structure to bring these scattered axiom 
parts back together. 


Lemma 2. The following rule is admissible in S5: 


H|, D => 4 HTI C, Ia => Ao 
HID => Ay | Pp > Ao 


Proof. The rule can easily shown to be sound using the Kripke semantics of S5. 
It can also be derived from the generalised rule for cuts on boxed formulas that 
Avron uses in his proof [2] of cut-elimination for S5. 


Lemma 2 
D => A | In => Ao 
C, noA ALIC, I5 > A3 IX, UI5 > OAi,0A2 (HM) 
(K) (K) i 
C, Tic Ai = C, In=> A» . 
Heil 
$ ; NAE 
ay Aar F, D => A, A2 
C,D-A CD A (uq 
DC > 0-00, rA LI “ay 
TE BSAA 
rsa 


Fig. 3. Constructing a grounded HS5-proof 


At this point we can already illustrate how the grounded HS5-proof will be 
constructed in a very simple case—see Fig. 3. Here we start from a cutfree Ck- 
proof using only a single non-modalized axiom instance -0C — O-OC. After 
breaking up the axiom into two parts OC and LI-LIC using invertible rules, 
both parts are traced upwards in their respective branch a, and ao» until they 
are principal in an inference of (K). Then both premises of (K) are rejoined 
using Lemma 2 into a single hypersequent, thereby eliminating the axiom parts. 
Below this hypersequent we can simulate both proofs a1, a2 (this time omitting 
the axiom parts) to arrive at the desired [ > A. 
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To deal with the general case, we need to extend Lemma 2. For this we intro- 
duce some notation: Given an index set I = {1,...,n} we write [,{Ci}ier > A 
for the sequent 1, C,..., C, > A, and H | |I; > Aj]ier for the hypersequent 


Lemma 3. Let (Cj | i € I) be a set of formulas. If the hypersequent 
H | (C; Tex, {0Cr }kens TI > A; 
is valid in S5 for all J C I, then so is H | |I] > Aglacr. 


Proof. By induction on |I|. For I = Ø the statement is trivial. Thus let io € I. 
For J CI we call S; the hypersequent 
H | {Cyhjer, {POC beens, Dy > Ar. 


For any J C I with ig € J and L C (IN {to }) we apply Lemma 2 (with C := Cis) 
to S; and Sr, obtaining 


H | (Cite doy (POC eno Dr > As | (Cher, tUCm seas Lo > Ar 


Call S5 the component with right hand side A;. Keeping J fixed while let- 
ting L C (IN (io]) vary, we can use the induction hypothesis to obtain the 
hypersequent 


H | S3 [Ir > Arlc tio}: 


By another application of the induction hypothesis, now letting J vary across 
subsets of J containing io (in other words: letting J’ vary across subsets of I \ {io} 
and setting J := J’ U {io}), we obtain 


H | (Ps > Aslacrioes | Wr > Art| ncn gio} 


ie. H | [L7 > A;j];cr. 


Note that Lemma 2 is the instance of Lemma 3 where |Z| = 1. We can now prove 
the completeness theorem. 


Theorem 9 (Cutfree completeness of grounded HS5-proofs). [ff => A 
is flat-valid in K5, then there is a cutfree grounded HS5-proof of it. 


Proof. Let I' => A by flat-valid in K5. By the deduction theorem, there is a 
set (2 of modalized instances of -0p — L1-5L]p such that R, I => A is flat- 
valid in K, and therefore has a cutfree Ck-proof a. We can write (2 as OQ; U 
[LIC; > O-0C;}icer where ON, contains modalized instances of the axiom 
with at least one box. By standard invertibility results in Ck, we may assume 
that the lowermost inferences in aœ are (—7) and (^g) applied to all axioms 
-0C; > O-0C;. In this way, we obtain 2!/!-many premises, which can succinctly 
be described as follows: For every J C I, we have a premise Ty containing the 
(negated) antecedents of all axioms with index j € J and the consequents of all 
other axioms, i.e. 


Ty = Uf4,(70C;] jer, (H^DCxk rena, P => A. 
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We now fix cutfree Ck-proofs a ; of Ty for every J C I. Letting P; denote the 
number of lowermost inferences of (K) in az, we enumerate them as 


Ni, {Cj jes {POC ren Ly > AG 
N1, {OC;} jer, {0700r ren 7, OF > DAT 


where 0 < p < Pj. Once again we assume harmlessly that the modalized axiom 
instances and their parts in the antecedent have not been subject to contraction 
or weakening. Let us assume moreover that P; Æ 0 for all J C J, i.e. there is at 
least one instance of (K) in every a, as the other case is very simple.* 

As the premise of (K)^ is flat-valid in K and every formula in (2, is valid in 
S5, it follows that the sequent 


$5 = (C;j)jer, {0Cr kens T} > A5 


is flat-valid, and therefore also valid, in S5. Define F := (f : P(I) > N| 0< 
f(J) < Py} and fix one f € F. We think of f as choosing one specific lowermost 
instances (c7? in every aj. The family (siye, is such that Lemma 3 is 


applicable to it, and therefore the following hypersequent is valid in S5: 


(K); 


^ = poe > AO scr 


We now construct the grounded HS5-proof. Fix cutfree HS5-proofs Bf of Hf 
for every f € F. Below each 8f apply (M M) to obtain the sequent 


(Or 7} jer > {OAS Facer. 


Letting Jı, J2,... be an enumeration of P(I), we focus on the subfamily of 
sequents 


(DrI) c, ru, Ur? 2 045, (0450) jer sen 

for fixed f € F and varying 0 < p < P;,. In other words, we consider all possible 
values of f on Jı while keeping the other values fixed. Now observe that these 
P; -many sequents look similar to the conclusions of the instances (K a where 
0 < p € P, only that the axiom parts have been replaced. We can therefore 


simulate? the proof aj, below these sequents obtaining 


(Gri erst SAMOA eran 


instead of the original endsequent Ty of o;,. Starting from this new family of 
sequents (for all f € F), we can repeat the above steps, simulating the proofs 
Qjy, Q4, QJ, ... until we eventually arrive at the sequent 7,..., D > A,...,A 
from which we then obtain I’ > A by contraction. 


^ Assume (K) is never applied in a7. Then no modal formula is ever principal in o 
(note here that modal formulas do not appear in initial sequents, which we require 
to be atomic). It is then easy to see that the modal formulas in the conclusion of o; 
can simply be removed to obtain a (still cutfree) Ci-proof of l = A. This proves 
the theorem, as a cutfree Ck-proof is also a cutfree grounded HS5-proof. 

5 Note that aj, has only propositional inferences below (K Jua so we do not have to 
worry about the changed contexts breaking some instance of (K). 
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3.8 Grounded Proofs and Grafted Hypersequents 


In [12] calculi for the logics K'T- and K5 are defined. These build on the 
notion of a grafted hypersequent I' 2 A || X1 > Ai |... | Xn => An con- 
sisting of a sequent l = A called the trunk and a hypersequent X, => A, | 
... | Xn = An called the crown. If the crown is empty, we write T > A 
instead of [ = A ||. A grafted hypersequent corresponds to the modal formula 
(AD > VA) V va O(A; — VA,), i.e. one combines the flat interpretation of 
the trunk with the boxed interpretation of the crown. As pointed out in [12], 
grafted hypersequents are a restricted form of nested sequents. 

We can now compare our systems of grounded proofs with the calculi in [12]. 
Let us first consider the grafted hypersequent calculus Rgs for K5. We refer 
to [12, Figs. 1 and 2] for a complete list of the rules. The following presentation 
should suffice for our purposes: 


— The trunk rules are the rules of LK applied to the trunk, the crown remaining 
unchanged; 

— The crown rules are the rules of HS5 \ ((M M)) applied to the crown, where 
it is required that the trunk is the empty sequent >; 

— Two transfer rules mediate between the trunk and the crown: 


D-—A|Uu|A 
T2 ABDAJ|X 


D-A|4|Z,A2H 
TUASA|H| Ss 


(Or) (Oz) 


A grounded HS5-proof can be translated into a proof in Rks as follows: 


1. Replace every non-lowermost (M M) by its derivation via (L2) and (0%). 


. Replace every hypersequent H above some instance of (M M) by —|| H. 
. Replace every lowermost (M M)-inference by transfer rules as shown below: 


Wh 


>|| Dn > Ai |... | In => An 
we Fees In >||> Ar |... |= An 
I3,...,Ul D => OA,,...,0An 


D > A |... | In > An 
D,..., On > OA1,...,0An 


some (Oz )'s 


some (Opg}’s 


The grafted hypersequent calculus Rgro for the logic of shift-reflexive frames 
is defined similarly; here it is only componentwise applications of Cyx-p-rules 
that are admitted in the crown (it follows that one only needs crowns with one 
component). An analogous translation from grounded Cx-r-proofs to Repo can 
be defined. The translated proofs satisfy a normal form that already appears 
in [12, see Def. 4.3]. 

As the translation described above does not introduce cuts, and as there are 
cutfree grounded proofs for all theorems of KT- (Theorem 6) and K5 (The- 
orem 8), we immediately obtain a new proof of the following (first established 
in [12] via a syntactic reduction procedure): 


Theorem 10. Rks and Ry qa admit cut elimination. 
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4 Strongly Modular Proofs of Cut-Elimination 


The method of the previous section can be summarized as follows: Aiming to 
show I’ = A in an extended system (KT' or S5), we start from a cutfree Ck- 
proof a of (2, I' 2 A for some (modularized) axiom instances (2 of the extended 
logic. Then we inspect o and replace some parts of it with cutfree proofs in Ck 
or HS5, this way getting rid of the axiom instance in 2 and thereby obtaining 
a cutfree ‘grounded’ proof of => A. 

We emphasize the following: At no point in the argument one needed to under- 
stand how cut-elimination for Cx,Ckr and HS5 is established. In other words, 
these cut-elimination results are used as ‘blackboxes’ in the proof. Let us intro- 
duce the following informal terminology: A proof of cut-elimination is 


— weakly modular if it is obtained by modifying or extending the cut-elimination 
proof of some other logic; 

— strongly modular if it is obtained by using the cut-elimination property of 
some other logic, irrespective of how this property was obtained. 


Our proofs of Theorem 6 and Theorem 9 are strongly modular in this sense. 
We are not aware of other such proofs in the literature. On the other hand, 
weakly modular proofs are numerous: One might for example argue for cut- 
elimination in Cg by describing how the reduction steps in the cut-elimination 
algorithm for Ck have to be extended to accommodate the additional rule (T).” 
'The disadvantage of this approach is of course that the reader has to know the 
algorithm for Cx. If such a proof were to be formalised, one would have to copy 
and extend the complete formalisation of the proof for Ck, instead of using C's 
already established cut-elimination as a lemma in the formalised proof for Cker. 
'The most successful attempts at modularity in cut-elimination have been proofs 
that are parametrized over a specific class of axioms or rules (e.g. [4,8,13,17]). 

We believe strongly modular proofs of cut-elimination are interesting and 
deserve further study. They have the potential of being both shorter? and more 
reliable through the reuse of already established theorems. Moreover, given the 
general significance of cut-elimination, any method for obtaining it is important. 

Of course, with only two? examples at hand there is the possibility that we 
have encountered a ‘happy coincidence’ rather than a general idea. Indeed the 
situation of KT- and K5 is quite special in that they are sandwiched between 
logics with cutfree calculi, i.e. K C KT ^ C KT and K C K5 C S5, and the 
gap to the ‘upper logic KT or S5 is very small in a precise sense (Theorem 4). 

In the remainder of this article we sketch an idea that could be useful for 
obtaining strongly modular proofs of cut-elimination for other logics. We conduct 


$ We do not count proofs using cutfreeness of another calculus for the same logic, or 
a conservative extension thereof. 

T Also, a weakly modular proof of cut-elimination for grounded K T-proofs is obtained 
by observing that all reduction steps in Cx r’s cut-elimination preserve groundedness. 

8 E.g., compare our proof for K5 with the one in the grafted hypersequent calculus [12]. 

? Side remark: The result for KT" also applies to all modal logics K + OC where 
K +C has a cutfree calculus. 
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the discussion in a semi-formal style. While there will not be enough evidence 
for a ‘general method’, we do present two further examples where a strongly 
modular proof is possible: The modal logic KD (using cut-elimination in K) 
and the intermediate logic LQ (using cut-elimination in intuitionistic logic). 


4.1 Calculi with Ghost Rules 


We start from the general situation that L C M where L is some logic with a 
cutfree sequent calculus Cy. We seek a calculus for M that admits a strongly 
modular proof of cut-elimination, relative to cut-elimination in Cy. We addition- 
ally assume that a deduction theorem holds between L and M. That is, a sequent 
IT = Ais valid in M iff 2, I = A is valid (and therefore cutfree provable) in L 
for a suitable set of formulas 2. 

Our proofs of the completeness theorems (Theorems 6 and 9) suggest that 
we should attempt to construct a cutfree M-proof of = A by somehow trans- 
forming a cutfree Cr,-proof a of (2, I' 2 A. Now one naive transformation might 
immediately spring to mind: Can we simply take a and remove all occurrences 
of (2 and its ancestors in a to obtain a cutfree proof at of D > A? 

The first question then is, in what system does o! qualify as a proof? Clearly 
removing formulas from inferences in Cr creates unsound rules. In a first step, 
we therefore extend Cr, with ‘ghost rules’: These are rules in which the principal 
formula in the conclusion and its ancestors in the premises have been removed. 
For examples, the ghost rules corresponding to (^g) and (K) are 


DA D-—A r= 
Toa (^a)! and np (K)f. 


Different rules can have the same ghost rules, e.g. (^g)! = (Vr)!. Some ghost 
rules, e.g. (^r)!, are ‘dummy inferences’ I > A/T > A that we do not add to 
the system. If Cr, has initial sequents p — p then one or both occurrences of p 
can be ancestors of (2, and thus we need different ghost initial sequents: 


sz Ss)! ys C9 as») 


Letting ci denote the calculus extended by such ghost inferences we see that at 
is (up to dummy inferences) a cutfree Cj.-proof of I = A. More generally we 
infer from the deduction theorem that every sequent valid in M has a cutfree 
proof in er But of course, ci also has many derivations which do not correspond 
to proofs in M. 


Definition 4. A class P of Cj -proofs is cutfree-adequate for M if the endse- 
quent of every P-proof is valid in M. (‘soundness’) and there is a cutfree P-proof 
of every M-valid sequent (‘completeness’). 


Let us informally call M-revivable a Cl -proof of l' = A if we can insert 
formulas and inferences into it to obtain a Cy-proof of (2, l = A, where 2 is a 
set of M-valid formulas. The proof at from the above discussion is the typical 
example of an M-revivable proof. 
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By the deduction theorem and cut-elimination in Cy it follows that the M- 
revivable proofs in ci form a cutfree-adequate class for M.'° So what we have 
obtained is indeed a strongly modular proof of cut-elimination for the system 
of M-revivable Cj.-proofs. The property of being M-revivable can be seen as 
a global correcteness condition on Cj -proofs, and therefore constitutes—in its 
broadest interpretation—a system of rules for e. But of course this observa- 
tion is rather!! useless in practice unless we can express the property of being 
revivable in simpler terms, say via a condition on the order of rules being applied. 

To conclude this article, we now discuss two logics—KD and LQ—where 
this is the case. Their similarity lies in the fact that they admit a very strong 
version of the deduction theorem, and this will allow us to express their notions 
of ‘revivability’ in fairly simple terms. In doing so, we obtain both a system of 
rules and a strongly modular proof of cut-elimination. 


42 KCKD 


The modal logic KD is the extension of K by the seriality axiom —L]11L; in 
terms of the Kripke semantics, =L enforces that every world has at least one 
successor. It is well-known (see, e.g., [13]) that extending Ck with the rule 


I 
deo 


yields a sequent calculus Ckp for KD admitting cut-elimination. We now present 
a new proof of cut-elimination for KD that is strongly modular. 

As the seriality axiom has no variables, the modalized instances of it are 
exactly the formulas O*-OL for k > 0. Following the methodology sketched 
in the previous section, we now extend Cx to a calculus ci. with ghost rules. 


Crucially, the ghost rule (K)! coincides with the rule (D) shove. 


Theorem 11. Those proofs in e whose only ghost rule is (K)! form a cutfree- 
adequate class for KD. 


Proof. Let us first deal with completeness. If l = A is valid in KD, then there 
is a set of modalized instances of -OL such that (2,]' = A has a Ck-proof 
a. Using cut-elimination in Ck, we may assume that a is cutfree. As there is 
no right rule for L, the Ck-rules that can be applied in o to an ancestor of 
a modalized instance of =O in (2 are only (^7) and (K). Now obtain a! by 
removing (2 and all its ancestors from the proof. As (^7)! is a dummy rule, the 
only ghost rule we need to create is (K)!. Thus o? is as desired. 


1? The idea of systematically replacing systems of rules with axiom instances in order 
to prove soundness already appears in [16]. 

11 One could maybe make the following remark: When looking for a simple cut-free 
sequent calculus that endowed with some global correctness criterion captures the 
logic M, one does not have to look further than C]. 
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We now turn to soundness. For this we have to ‘revive’ a Ci.-proof B of 
T = A whose only ghost rule is (K)!. This is done as follows: 


(w) 
T peer 
TS (KK) ~ To | en 
nt 


Now propagate the newly added —4L11 downwards in the proof. We will have 
to add LI's in front of it whenever we encounter the rule (K). Doing so for all 
instances of (K)! we eventually obtain a Ck-proof of (2, I' = A where f2 contains 
modalized instances of =O. Thus I’ > A is valid in KD. 


As restricting the ghost inferences in p to (K)! yields exactly Ckp, we have 
obtained a new (and strongly modular) proof of cut-elimination for Ckp. 


4.3 ILC LQ 


For our final example, we leave the realm of modal logics and consider an 
intermediate logic instead. LQ extends IL by the law of weak excluded mid- 
dle ^p V ——p; it is known [11] that the following deduction theorem holds: 
A E LQ = (^iz.^pi V opi) > A € IL where pi,..., p, are the vari- 
ables occurring in A. Let Cy, be the single-conclusion calculus obtained from 
the first group of rules in Fig. 1 by stipulating that |Z| = 0 and |A| < 1. Cry, is 
adequate for IL and admits cut-elimination. 


Definition 5. A proof in e. is LQ-grounded if the following holds: 


1. The only ghost rules in it are (Vr)! and ghost initial sequents > p, p >, >. 
2. Letting (Vz)l,..., (Vr)], denote all instance of (Vr)! in the proof, there are 
sets Li, Ra,..., Ln, Rn of ghost initial sequent occurrences such that 
— every ghost initial sequent p = (resp. = p, resp. =) appears in exactly 
one L; (resp. exactly one R;, resp. exactly one R; and exactly one L;); 
— No two distinct variables appear in connected components, where being 
connected is the reflexive, transitive and symmetric closure of the relation 
Lic Rj < i-jvLinR;z 
- Every branch of the proof containing a sequent in Li (Ri) goes through 
the left (right) premise of (Vi). If it goes through the right premise, it 
i 


i 


contains a sequent with empty right hand side above (Vr) 
Figure 4 (middle) shows a simple LQ-grounded proof where n = 1. 
Theorem 12. The class of LQ-grounded e. -proofs is cutfree-adequate for LQ. 


Proof. (Sketch). Completeness is similar to Theorem 11; LQ’s special deduction 
theorem restricts the necessary ghost inferences to initial sequents and (Vz). 

We now show soundness by ‘reviving’ an LQ-grounded proof of r > A. 
Start by adding variables and (—g)-inferences to the ghost initial sequents as 
follows: 


Some Analytic Systems of Rules 109 


; Is Rj Li 
("PTT ) (> pjer: {= (p™ >p) (>)ernr; ~ 4? 


=>)eEL; a 
(p Je aad p, =p" > p i, =pli > 


The superscripts act only as markers, i.e. p, p™, p: denote the same variable. 
In replacing (>) € L; R; we add the variable p from a component connected 
to L; or R; (unique if it exists) and an arbitrary variable otherwise; in the other 
cases the choice of the added variable is forced by the preexisting p. The Apl''s 
are then propagated downwards until the left premise of (V mie The p®’s are 
propagated downwards until we encounter the first sequent X — with empty 
right hand side, at which point we introduce double negations: 


E" > 
(X >) SE > api 
5, Ap => 


Ri’s down to the right premise of (V L1) and rewrite as follows: 


Propagate the ^p 

XII x => I XY, apt! => IT Yap? > IT 
bp S, pV p II (Vz) 

Propagate the new formula ~p V ——7p to the endsequent. Doing so for all 

i < n, we obtain a Cyy-proof of R, I = A where 2 contains instances of the 

weak excluded middle axiom. Thus I’ > A is valid in LQ. 


(vz)! ~ 


1 


It is instructive to compare LQ-grounded proofs to other calculi in the lit- 
erature. For example, a hypersequent calculus for LQ [8] is obtained by adding 
the rule (lq) (below left) to a hypersequent calculus for intuitionistic logic.!? The 
corresponding 2-system of rules [9] is pictured on the right: 


no! => 
PEE a! => 


NE—- (lg) 
Zsa 
I-A DA 
I-A ob 


Figure4 hints at the translation of LQ-grounded proofs into both calculi. 


= p>p 
p p >p l 
T T -a1 
sar Xp 
Np p 
? > —— 8 k 
DEN p^ "PEL: us NE X >|p=> (ta) 
-a2 :8 fag B 
T= A D-—A4 
rsA rsa (i) PsaAlrsa 
(bot) DA lee) 
rs r> 


Fig. 4. From LQ-grounded proofs to 2-systems (left) and hypersequents (right) 


12 An interesting sequent calculus for LQ is presented in [6]. 
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5 Conclusion and Future Work 


We have defined grounded proofs, a system of rules for KT- and K5, and proved 
the cut-elimination theorem. We showed how grounded proofs relate to grafted 
hypersequents, thereby recovering and simplifying the cut-elimination theorem 
for the latter calculus. We then elaborated on strongly modular proofs of cut- 
elimination, providing two more examples through the logics KD and LQ. 

Future work. Strongly modular proofs do not directly yield an algorithm for 
eliminating cuts. We would like to know whether the arguments given here can 
be used to write an algorithm that, e.g., eliminates cuts in grounded K5-proofs 
by calling the cut-elimination algorithms for K and S5 as subroutines. 

'The method of obtaining strongly modular proofs through calculi with ghost 
rules is in a very early stage and so much remains to be explored. As a first step, 
one could try to extend the argument for LQ to all intermediate logics with a 
similar deduction theorem, i.e. logics with the simple substitution property [19]. 


Acknowledgements. The author is indebted to the anonymous reviewers for many 
corrections and helpful suggestions. 
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Abstract. We present a sequent calculus for first-order logic with 
lambda terms and definite descriptions. The theory formalised by this 
calculus is essentially Russellian, but avoids some of its well known draw- 
backs and treats definite description as genuine terms. A constructive 
proof of the cut elimination theorem and a Henkin-style proof of com- 
pleteness are the main results of this contribution. 
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1 Introduction 


Definite descriptions (DD) are complex terms commonly applied not only in 
natural languages but also in mathematics and computer science. In formal lan- 
guages they are usually expressed by means of the iota operator, which forms 
terms from formulas. Thus zy means ‘the (only) x satisfying p’. A DD aims 
to denote a unique object by virtue of a property that only it has. Sometimes a 
DD fails, because nothing or more than one thing has the property. A DD that 
succeeds to denote only one object is proper; otherwise it is improper. 

Definite descriptions, proper and improper, are ubiquitous not only in natural 
languages but also in mathematics and science (like the proper ‘the sum of 7 and 
5’ or the improper ‘the square root of n’). In formal languages the application of 
functional terms is the prevailing way of representing complex names. However, 
applying DD can outrun functional terms in many ways, since they are more 
expressive than functional terms, in the sense that an arbitrary functional term 
f" (t4,...,t,) can be represented as a description «x F"*1(z,t4,...,t,), where 
F is a predicate corresponding to the function f. On the other hand, not every 
definite description, even if proper, can be expressed using functional terms; it 
is possible only in the case of predicates expressing functional relations, whereas 
every sentence can be used to form a DD. For example, both 'the father of Ben? 
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and ‘the daughter of Mary’ may be represented as terms using the iota operator, 
but only the first may be represented as a functional term. Moreover, even if we 
can use functional terms instead of DD we enrich a language with another sort 
of functors in addition to predicates. This has an impact on the formalisation of 
valid arguments in which very often the conclusion follows on the basis of the con- 
tent expressed by functional terms which is directly expressed by predicates. For 
example: ‘Adam has children’ follows from ‘Adam is the father of Ben’. However 
to prove its validity, its formal representation a = f(b) F dx(Cxa) requires two 
enthymematic premisses: Vry( Mxy V Fry > Cyz) and Vry(zr = f(y) — Fay). 
Let us call the latter premiss a bridge principle allowing us to transfer infor- 
mation conveyed by predicates to related functions and vice versa. In general 
they have a form: Vzi,..., £n, y(y = f"(z1,..., 24) @ F"*(y,23,..., £n) and 
show how the information encoded by the functional predicates is represented 
by predicates. In the case of using DD instead of functional terms we do not 
need such extra bridge principles, whereas in languages with functional terms 
they are necessary in an analysis of obviously valid arguments.! 

The usefulness of formal devices like the iota operator and other term-forming 
operators has recently been better recognised (cf. Tennant's [32] or Scott and 
Benzmüller's implementation of free logic using proof assistant Isabelle/HOL |3]) 
also in the fields connected with computer science, like differential dynamic logic 
used for verification of hybrid systems [5] or description logics (see [1] or [25]). 
Logics with DD are often implemented to enable formalisation of deep philosoph- 
ical problems. e.g. Anselm's ontological argument (see the work by Oppenheimer 
and Zalta using the automated reasoning tool PROVER?9 [26] or its encoding 
by Blumson [4]). 

Since several rival theories of DD were formulated, the applicability and 
potential usefulness of DD was underestimated so far. It leads to a question 
which approach is the best one, at least for some specific kind of applications. In 
this paper we focus on the Russellian approach to definite descriptions ([28] and 
[35]) which plays a central role in this area. Although Russell’s theory of DD has 
some controversial points, it became a standard point of reference of almost all 
works devoted to the analysis of definite descriptions. Moreover, it is still widely 
accepted by formal logicians as a proper way of handling descriptions; the scores 
of textbooks that use it as their official theory of definite descriptions count as 
witnesses for this claim. Russell's theory has also strong affinities to logics closely 
connected with applications in constructive mathematics and computer science 
like the logic of the existence predicate by Scott [30] or the definedness logic 
(or the logic of partial terms) of Beeson [2] and Feferman [8]. These connections 
were elaborated in [14]. 

Russell treated DD as incomplete signs and defined their use by contextual 
definitions of the form: 


V[r/we] = Ar(Vy(p = y = x) ^v) 


! Some other advantages of using DD instead of functional terms are discussed in more 
detail in [17]. 
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but this solution leads to scoping difficulties if v» is not elementary. 7~)[x/2yy], 
e.g., is ambiguous: is the whole formula negated or only the predicate v? The 
method which Russell introduced in [35] to draw scope distinctions is rather 
clumsy. Fortunately, it is possible to develop a logic which treats DD as genuine 
terms and yet retains desirable features of the Russellian approach. Such a logic 
was formalised as a natural deduction system by Kalish, Montague, and Mar [18] 
and by Francez and Wieckowski [11]. These systems involve complex rules and 
axioms, but recently Indrzejczak [16] provided an analytic and cut-free sequent 
calculus equivalent to the Russellian logic as formalised in [18]. However, in all 
these systems the formal counterpart of the Russellian policy of eliminating DD 
from sentences must be restricted to predicate letters, which is connected with 
the scoping difficulties of the Russellian approach just mentioned. 

Can we offer any improvement on the state of the art? A possible strategy 
of avoiding these problems is to treat DD by means of a binary quantifier; this 
approach was formally developed by Kürbis (cf. [19-23]). However, if we want 
to treat DD as terms, then the introduction of the lambda operator to construct 
complex predicate abstracts from formulas offers a good solution. Axy means 
‘the property of being y’ and applied to some term, in particular to a DD, forms 
a formula called a lambda atom. This device was introduced into studies of 
modal predicate logic by Thomason and Stalnaker [31], and the idea was further 
developed by Bressan [6] and Fitting [9], in particular, to distinguish between de 
dicto and de re reading of modal operators. Independently, this technique was 
used by Scales [29] in his formulation of attributional logic, where Aristotle’s 
distinction between the negation of a sentence and of a predicate is formally 
expressible. In fact, Scales seems to be the first one to apply predicate abstraction 
to formalise a theory of DD which relates closely to Russell’s. Predicate abstracts 
were also successfully applied by Fitting and Mendelsohn [10] to obtain a theory 
of DD in a modal setting. This approach, with slight modifications, was further 
developed independently by Orlandelli [27] and Indrzejczak [12] to obtain cut- 
free sequent calculi for modal logics with DD and predicate abstracts. 

In this article we focus on a different logic RL, first introduced in [17], which 
also combines the iota and lambda operators. It avoids the shortcomings of the 
Russellian approach while saving all its plausible features. Predicate abstracts 
permit us to draw scope distinctions rather more elegantly than with the Rus- 
sellian scope markers and their application is more general. RL is essentially 
Russellian but with DD treated as genuine terms. Nonetheless, the reductionist 
aspect of Russell’s approach is retained in several ways. On the level of syntax 
the occurrences of DD are restricted to arguments of predicate abstracts to form 
lambda atoms. On the level of semantics DD are not defined by an interpretation 
function but by satisfaction clauses for lambda atoms. Eventually, on the level 
of calculus DD cannot be instantiated for variables in quantifier rules but are 
subject to special rules for lambda atoms. This strict connection of DD with 
predicate abstracts avoids disadvantages of the Russellian approach connected 
with scoping difficulties, and, at the same time, simplifies proofs of metalogical 
properties. 
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RL was originally characterised semantically and formalised as an analytic 
tableau calculus in [17], where it was also applied for proving the Craig inter- 
polation theorem. Here we are completing the research on RL by providing an 
adequate sequent calculus for which the cut elimination theorem is proved con- 
structively. We characterise the language, semantics and axiomatisation of RL 
in Sect. 2. Then we present the sequent calculus GRL for RL and show its equiv- 
alence with an axiomatic Hilbert style system HRL. Section 4 contains a proof 
of the cut elimination theorem, and Sect. 5 a Henkin-style proof of completeness. 
'The paper finishes with some comparative remarks. 


2 Preliminaries 


The language £ of RL is standard, except that it contains the operators ? and A. 
Following the remarks on the functional terms from the Introduction, as well as 
the original Russellian attitude towards terms, the ‘official’ language has neither 
constant nor function symbols; in the completeness proof we add constants solely 
for the purpose of constructing models from consistent sets. As is customary 
in proof theoretic investigations since Gentzen, we distinguish free and bound 
variables graphically in deductions. It is not customary to make this distinction in 
semantics, and so there we won't make it either. T'his blend of two customs should 
not lead to confusion, and we are following Fitting and Mendelsohn [10] in this 
respect. There are two disjoint sets V AR of variables and PAR of parameters. 
'The former plays the role of the bound, the latter of the free variables in the 
presentation of the proof theory of RL; in the presentation of the semantics, 
this restriction is relaxed and members of V AR are permitted as free variables. 
The terms of the language in the strict sense are the variables and parameters. 
Expressions formed by z are admitted as terms in a more general sense: their 
application is restricted to predicate abstracts and they are called quasi-terms. 
We mention only the following formation rules for the more general notion of a 
formula used in the semantics: 


— If P" is a predicate symbol (including =) and t,...t, € VAR U PAR, then 
P" (t1, ..., tn) is a formula (atomic formula). 

— If ọ is a formula, then (Ary) is a predicate abstract. 

— If ọ is a formula, then xg is a quasi-term. 

— If ọ is a predicate abstract and t a term or quasi-term, then qt is a formula 
(lambda atom). 


y|a/t] denotes the result of replacing x by t in y. To save space, we'll often write 
y? instead of y|x/t]. If t is a variable y, it is assumed that y is free for x in 
o, that is, no occurrence of y becomes bound in ¢ in the replacement. To save 
space and simplify things in the statement of semantics and in the completeness 
proof in Sect. 4, we treat V, —, J as defined notions. 

A model is a structure M — (D,I), where for each n-argument predicate 
P", I(P") C D". An assignment v is a function v : VARU PAR — D. An 
x-variant v' of v agrees with v on all arguments, save possibly x. We write v? to 
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denote the z-variant of v with v?(x) = o. The notion of satisfaction of a formula 
y with v, in symbols M,v = v, is defined as follows, where t € VAR U PAR: 


M,v = P"(t4,..., t4) iff (0(),...,v(t4)) € I(P") 

M,v = ti = t2 iff v(ti) = v(t2) 

M,v E (Axw)t iff M,v$ = v, where o = v(t) 

M,v = (Axv)we iff there is an o € D such that M, v3 = v, and 
M,v? E e[y/z], and for any y-variant v' of v2, 
if M,v' E y, then v'(y) =o 

M,v = 7p if M,v Ky, 

MvE paw iff M,v E e and M,v = v, 

M,vE Vay iff M,v3 E v, for all o € D 


A formula ¢ is satisfiable if there are a model M and an assignment v such that 
M,v E y. A formula is valid if, for all models M and assignments v, M,v = g. 
Semantically, HRL is identified with the set of valid formulas, RL with the set 
of valid sequents. A set of formulas I is satisfiable iff there is some structure M 
and an assignment v such that M satisfies every member of I’ with v. A sequent 
I’ => Ais satisfied by a structure M with an assignment v if and only if, if for 
all o € I', M,v E qc, then for some € A, M,v H v. We symbolise this by 
M,v = T => A. A sequent I => A is valid iff it is satisfied by every structure 
with every assignment v. In this case we write = I 2 A. 

Note that we do not characterise DD semantically by means of interpretation 
function J as it is usually done (for example in [10,27])). The syntactic restriction 
making DD only arguments in lambda atoms allows us to define them together 
as a separate satisfaction clause instead. It is closer to the original Russellian 
treatment of descriptions and simplifies the completeness proof. 

Before presenting the sequent calculus, we briefly give the Hilbert system 
HRL. As we noted Russell treated DD as incomplete symbols and eliminated 
them by means of contextual definitions. Adopting the following axiom corre- 
sponding to his definitions would be too simplistic: 


R v(eyy) = 3x(Vy(e = y = x) ^v) 


R must be restricted to atomic w or it is necessary to add means for marking 
scope distinctions. Whitehead and Russell chose the latter part, but their method 
is far from ideal. It is possible to avoid the problem in more elegant fashion with 
the help of a À operator. In particular, we can use it to distinguish the application 
of the negated predicate ^v to yq from negating the application of ~ to it. In the 
present context scoping difficulties arise only in relation to DD, and the problem 
is solved by restricting predication on DD to predicate abstracts. Accordingly, 
atomic formulas are built from predicate symbols and variables/parameters only. 
'This is in full accordance with Russell, since the language of Principia contains 
no primitive constant and function symbols: they are introduced by contextual 
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definitions by means of DD. We modify R to reflect the restriction that 2 terms 
require À abstracts: 


Ry (Avv) e d3x(Vy(e = y =x) ^v) 


'This way we avoid problems with scope while permitting complex as well as 
primitive predicates to be applied to DD. The axiomatic system HRL for our 
logic RL results from a standard axiomatization of pure first-order logic with 
identity and quantifier rules restricted to parameters by adding the axiom R) 
and Ó-conversion for A but restricted again to parameters: (Arw)t e wl[v/t], 
where £ is a parameter. The adequacy of HRL will be demonstrated below. 


3 Sequent Calculus 


We now formalise the Russellian logic RL as a sequent calculus GRL. Sequents 
I’ = A are ordered pairs of finite multisets of formulas, called the antecedent 
and the succedent, respectively. GRL is essentially the calculus Glc of Troelstra 
and Schwichtenberg [34] with rules for identity and lambda atoms: see Fig. 1. 

Let us recall that formulas displayed in the schemata are active, whereas 
the remaining ones are parametric, or form a context. In particular, all active 
formulas in the premisses are called side formulas, and the one in the conclusion 
is the principal formula of the respective rule application. Proofs are defined in 
the standard way as finite trees with nodes labelled by sequents. The height of 
a proof D of I’ 2 A is defined as the number of nodes of the longest branch in 
D. Fk D => A means that Il => A has a proof with height at most k. - means 
that there is a proof of the expression standing to its right, be it a formula (in 
the case of HRL) or a sequent (in the case of GRL). 

We need some auxiliary results. In particular, since (= —) is Leibniz’ Principle 
restricted to atomic formulas, we must prove its unrestricted form. 


Lemma 1. 1. | b = bo, y[x/b1] > v[v/b»], for any formula q. 
2. If -& T 2 A, then Fk D'[bi/05] > Albi /b2], where k is the height of a proof. 


Proof. 1. follows by induction over the complexity of formulas, which is standard 
for all cases except those concerning lambda atoms with DD. We note that v; 
is the same as o5, etc. We write [((Arv)wo];, to denote substitutions in lambda 
atoms in more readable fashion. To simplify proofs applications of weakening 
and contraction rules to derive shared contexts are omitted from now on. Let D 


be the following deduction, where the leaves are axioms and c a fresh parameter: 

Leb, > eb Pabi > Pad c=a>c=a 
[(Acd)wels,, eb, 02s, > e=a 

Then we derive F b; = be, [(Arw)ayy]]5, > (Ary) wel: 


(12 =>) 
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D-—4,o y, HI > X 
(Cut) DIHGAE (AX) o9 
DA r> 
Wes) gy, >A E D-—4A,9 
o,oI-A I = 4,9,9 
x) o,Dl-—A pue) r= 4,9 
r= 4^, p, => A 
iren ~y, l > A (=m) D-—4,29 
r => 4,9 DA q,V,I-2A4 
^ ^ ME rA 
ah) PA cervum 
(v=) y, => A v,D-—A4A (2v) r > 4A, y, 4% 
Vyr >A T>A4,yVý 
r= 4,9 y, r= A y, T > Aw 
mae p> >i mic Pee a sek 
Dc A ppr e[z/t], I A 
wer gep, I= A pen Yro, l> A 
y T= Avo vA T= A, [x/q] 
V Rae xt 
(eren PS A, yey (rU Taan 
elz/a], T> A 4 T> A. ele/t 
(>) Joao, A (>3) r= A, Jrọ 
plx/b2], => A b=b, => A 


— 
ll 


) bi = b2, y[x/bi], D A 


V[r/5], P A 
p UB DS A 


(=) T= A 


T= A, dle/d] 
CM TELA Do 


ely/a], v[r/a], r= A 
(0) “Cade, P A 
= T= A, yļly/bı] D-—Av[yo] bı =b, T > A 
: Qao, D => A 
(oy Dm Aut T> Aviet] | elu/al D Aat 
r = A, (ye 


where a is a fresh parameter (Eigenvariable), not present in I’, A and y, whereas 
b, bı, b2 are arbitrary parameters. y in (= —) is an atomic formula. 


Fig. 1. Calculus GRL 
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ce NEL EI, 
a 
a bi = be, pas, Wab, (Arphyg]i, > ((Axv)uwv]s, 
T z Z z 
(C bı = be, [Aap)yes, ; ((Amb)we]lz, > [vv)wels, 


bi = b2, [vb welt, > (Oev)welo, 


The two left leaves are provable by the induction hypothesis (if b,,b2 are not 
present in ~ or o, we have an axiomatic sequent). 

'The proof of 2 is by a standard induction on the height of proofs; the rules 
for lambda atoms with DD are treated similarly to the rules for quantifiers. 


Let us now show that the Russellian axiom R) is provable in GRL. We will 
provide proofs for two sequents corresponding to two implications. Let D be: 


pa Qa Qu, > Qu, a=a>ai=a 


a 
mm (Axw)we, 92,04, >a =a 


The following establishes one half of Ry: 


D pe, a1 — à > Qu 
v) Aap)jyy, pt > vu, a =a 
En (Aap), py > Vy(e > y =a) pa => Vs 
(2.3) (Azv)ue, Ya, pa > Vy(e y =a) ^ vs 
! (Ac), Ya pë => Ar(Vy(p = y = £) ^v) 
) 


(i 
(C 


Quev)yue; Qa) > 3x(Vy(e > y = x) ^v) 
Asd)yy > 3x(Vy(o = y = x) ^w) 


where the only nonaxiomatic sequent is provable by lemma 1.1. Next, where D 
is: 


py => p b=a>b=a 


(==) 


p} = b=a, p} >b=a 
Vyly = y =a) py >b=a 


the following establishes the other half of Ry: 


y 
Ya => Ya Vyly > y =a) => vi D 
Vyly > y =a), pa > (Arpyjyp 
(A =>) V — z 
jos) y(e — y — a) ^us > (Aryhyp 
x(Vy(p = y = zx) ^v) > Qxv)woe 


(> 0) 


( 


LL 


Conversely, the three rules for lambda atoms with DD are derivable in G1 
with Ry added in the form of two axiomatic sequents. To derive (21 =), let RY 


be (Azv)tye = dx(Vy(o > y = v) ^ v): 
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>a=a qi val-—A 
p = a=a, pa l > A 
Vy(p => y =a), Ya => A 
Vy(p = y =a) ^pa >A 
Ar(Vy(p > y= x) ^Y), r > A 
(Aryjyg, l >A 


(A=) 
(Cut) Ra 


To derive (t2 =), use (Cut) with (Axy)jiyy => Ix(VYyly @ y = x) ^ v) and: 


cj bebo 
r = A, Ph, bı =a, b2 =a, l > A 
bı =a, p}, > b2 =a, > A 


( 


r > A, ph 


(e 


(v Pe, < bi = a, QU, bo =a, l > A 


) 
(C >) 
( 


Vy(e = y =a), Yy(p = y =a), Toa 
Vy(e = y =a) Ya, => A 
Vy(p => y =a) ^pa => A 

Ar(Vy(p > y= x) ^Y) r > A 


A 


( 


) 


The following derives (= 2): 


T= Ay} a=b,y} > vi 
pł, T = A,a=b a=b >A, 
r= A ył = a=b 
^) T>A,Vy(p = y =b) r> A, yi 
~ Fea veoy=d) Ave 
(>a I > A,jAr(Vy(p => y =x) Av) 


(Cut) 


(29) 


where the right premiss of (C'ut) is provable by lemma 1.1, and the conclusion 
of the rule follows by (Cut) with 3z(Vy(w > y = x) ^ v) 2 (Axv)w. 

Since the proofs of the interderivability of the axiom of A conversion and 
(A =), (= A) are trivial we are done and conclude with: 


Theorem 1. -znr Y iff tort > € 


4 Cut Elimination 


We will show that (Cut) is eliminable from every proof in GRL using the general 
strategy of cut elimination proofs applied originally for hypersequent calculi 
in Metcalfe, Olivetti and Gabbay [24], which works well also in the context 
of standard sequent calculi (see [15]). Such a proof has a particularly simple 
structure and allows us to avoid many complexities inherent in other methods 
of proving cut elimination. In particular, we avoid well known problems with 
contraction, since two auxiliary lemmata deal with this problem in advance. We 
assume that all proofs are regular in the sense that every parameter a which is 
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fresh by the side condition of the respective rule must be fresh in the entire proof, 
not only on the branch where the application of this rule takes place. There is 
no loss of generality since every proof may be systematically transformed into a 
regular one by lemma 1.2. The following notions are crucial for the proof: 


1. The cut-degree is the complexity of the cut-formula y, i.e. the number of 
logical constants (connectives, quantifiers and operators) occurring in y; it is 
denoted by dy. 

2. The proof-degree (dD) is the maximal cut-degree in D. 


The proof of the cut elimination theorem is based on two lemmata which suc- 
cessively make a reduction: first of the height of the right, and then of the height 
of the left premiss of cut. q^, I^ denote k > 0 occurrences of o, I’, respectively. 


Lemma 2 (Right reduction). Let Dı - r > A, and Da F yt, II > X with 
dDi,dD» < dy, and q principal in D => A,qv, then we can construct a proof D 
such that D L TE, II > A}, X and dD < dy. 


Proof. By induction on the height of Dz. The basis is trivial, since T > A,y 
is identical with T, H — A^, X. The induction step requires examination of 
all cases of possible derivations of q^, H => X, and the role of the cut-formula 
in the transition. In cases where all occurrences of p are parametric we simply 
apply the induction hypothesis to the premisses of c^, H — X and then apply 
the respective rule — it is essentially due to the context independence of almost 
all rules and the regularity of proofs, which together prevent violation of side 
conditions on eigenvariables. If one of the occurrences of y in the premiss(es) is 
a side formula of the last rule we must additionally apply weakening to restore 
the missing formula before the application of the relevant rule. 

In cases where one occurrence of o in y*, IT > X is principal we make use of 
the fact that q in the left premiss is also principal; for the cases of contraction 
and weakening this is trivial. We consider the cases of lambda atoms with DD. 
Hence D finishes with: 


T= Aut I-—Awsx/t) ply/a]), > A,a=b 
I => A,(Axv)wo 


and D» finishes with: 


gly/a’], v[z/a'], (àxv)wo" 1, Ir. € 
(Acw)ryp*, T= X 


or 


Qav)ye t, H= X.e[y/b]  Aryhyg I X, ply/bə] — bi = be, Ozbywe ^ n x 
(Amv)we, I > X 


In the first case, by the induction hypothesis and lemma 1.2 we obtain 
v [y/o], v [x /0], ^71, H= A*-!, X and by two cuts with the leftmost and cen- 
tral premiss of (> 2) in D, we obtain ['^*!, T= A*+!, X, which by contraction 
yields the result. 
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In the second case note first that by lemma 1.2 from the rightmost premiss 
of (= 1) in D, we obtain 


a. vly/bi], lT = A04 = b and 
b. yly/be], D => A, b2 = b. 


Again by the induction hypothesis from the three premisses we get: 


1. pe} di AF, X ply/bi] 
2. 49-71 => A*L, S, oss 
3. by = ba, D^, IT Ay 


We proceed as follows with a series of the applications of cut, followed by con- 
tractions, using the provable sequent bı = b, bz = b => b1 = be: 


1 a b; = b, b2 = b => bı = b2 3 
2 b TF, I> A", X, bi =b b; = b, bə = b, L3, H> AF, 
T:E, => A}, X, bz =b by = b, 8-1, [ALS Al y 


p3k-1 Ps A3k-1 y3 
rE, => AF 


Lemma 3 (Left reduction). Let Di - D > A,y* and Da F y, H > X with 
dDı,dD < dy, then we can construct a proof D such that D H T, II* > A, X* 
and dD < dọ. 


Proof. By induction on the height of Dı but with some important differences to 
the proof of the right reduction lemma. First note that we do not require ọ to be 
principal in y, H > X, so it includes the case where q is atomic. In all these cases 
we just apply the induction hypothesis. This guarantees that even if an atomic 
cut formula was introduced in the right premiss by (— —) the reduction of the 
height is achieved only on the left premiss, and we always obtain the expected 
result. Now, in cases where one occurrence of o in l > A," is principal, we 
first apply the induction hypothesis to eliminate all other k — 1 occurrences of 
y in the premisses and then we apply the respective rule. Since the only new 
occurrence of vy is principal, we can make use of the right reduction lemma again 
and obtain the result, possibly after some applications of structural rules. 


Now we are ready to prove the cut elimination theorem: 
Theorem 2. Every proof in GRL can be transformed into cut-free proof. 


Proof. By double induction: primary on dD and subsidiary on the number of 
maximal cuts (in the basis and in the inductive step of the primary induction). 
We always take the topmost maximal cut and apply lemma 3 to it. By successive 
repetition of this procedure we reduce either the degree of a proof or the number 
of cuts in it until we obtain a cut-free proof. 
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5 Adequacy 


In this section, we’ll make use of the fact that for every set there is a correspond- 
ing multiset, so if I’, A are sets of formulas, we may write /' = A. We recall that 
we treat V, —,J as defined notions. For the completeness proof we assume that a 
denumerable set of individual constants may be added to the language. I assigns 
objects in the domain D of the model (D, I) to these constants. For brevity we 
introduce the notation I„, where if t is a variable or parameter, [,,(¢) = v(t) and 
where t is a constant, L,(t) = I(t). 

Recall the distinction between terms and pseudo-terms, the former variables 
and parameters and now also constants, the latter iota terms. In the following 
lemma, t denotes a variable, parameter or constant, not a DD, hence the proof 
is standard, with the case of lambda atoms similar to the case of quantifiers. 
In the rest of this section, too, t will refer to terms only. In particular, there 
is no need to consider pseudo-terms in the Lindenbaum-Henkin construction 
(theorem 4), because in substitution in the formulas concerned only terms can 
be used. Pseudo-terms are treated, just as they are in the semantics, as occurring 
in lambda atoms, and thus like the logical constants by the consideration of the 
consistent addition of formulas to a set in the construction of its maximally 
consistent extension. 


Lemma 4 (The Substitution Lemma.). M,v = ef iff M, v7 a) FY: if t is 
free for x in q. 


Proof. See e.g. [7, 133f] and adjust. 
Next, the soundness of GRL. 
Theorem 3 (Soundness of GRL). If- r > A, then | r > A 


Proof. By induction on the height of the proof. Since it is well-known that the 
rules of G1 are validity preserving, and it is obvious for both lambda rules, we 
show this property only for (19 =) and (> 2), leaving (1; =) as an exercise. 


(12 =). Suppose (D E > Aet, (2) E T > Av (8) E bi = be, > A, 
and 4 (Ary)jyy, D => A. By the last, there are a structure M = (D, I) and 
assignment v, such that M, v = (Arw)zyy, for all y € P, M,v E y and for all 
€ A, M,v | 6. Thus by (1), (2) and (3): (4) M,v E of, (5) M, v E vi, 
and (6) M,v |£ bı = b». And there is an o € D such that M,v? = v, and 
M,v? E v[y/z], and (7) for any y-variant v’ of v?, if M,v' E y, then v'(y) = o. 
By the conventions on the use of free and bound variables in sequents, x is not free 
in yy, or qr, so v and v; agree on them, and so by (4) and (5) M, v3 = vj, and 


M,vz — pġ,- By the substitution lemma, M, U6 Ty (b1) = v and M, UST, (52) E g. 


So the y-variants v’ and v" of v? that assign I,2(b;) and I,«(b3) to y satisfy v 
with M, so by (7) I»(b1) = Iv (b2) = o. But v' and v" differ from v only in 
what they assign to x and y, and by (6) I,(b1) Z I,(b2). Contradiction. 

(= 2). Suppose (1) EP > A gh 2) EP + Aug, (8) H eS D > Aa =h, 
but - D => A, (Acw)2yy, a not free in any formulas in T and A nor in y. Then 
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there are a structure M = (D,I) and assignment v such that for all y € T, 
M,v E v, for all ô € A, M,v E à and (4) M,v EE (Axv)wqe. So by (1), 
M,v = ey, by (2), M,v E vt, and by (4), it is not the case that there is an 
o € D such that M,v? = v, and M,v? = eV, and for any y-variant v’ of v2, if 
M,v' = o, then v'(y) = o, i.e. for every o € D, either M, v? E v, or M, v? EE e, 
or for some y-variant v' of v?, M,v' = ọ and v'(y) Z o. Consider I, (b). We have 
either (5) M, vf œ Kv, or (6) M,vr a E vt, or (7) for some y-variant v’ of 
vF œ M.v H e and v'(y) # L,(b). By the substitution lemma from (5) and 
(6) we have M,v [^ v; and M,v E of), and as p4% is the same as yj, this 
contradicts consequences of (1) and (2). By conventions on the use of free and 
bound variables in sequents, x and y are not free in any of their formulas, so vr. (b) 


agrees with v on all formulas in I’, A, so for all y € I, M,v? (b) F^ 7 and for all 
ô € A, M, v? (b) jc ô. So by (3), if M, v? @ = py, then M,v? @ =a= b. By the 
substitution lemma and the semantic clause for identity, if M, DAC (a) F^ 9 


then I,(a) = I,(b). Now evidently UT, Olla) Y) = I,(a), so UT, Q9). (a) (y) = I,(b). 
But UT, (6) L. (a) is a y-variant of NOE and the reasoning holds for any such y- 


variant, contradicting (7). 


Let L represent an arbitrary contradiction. A set of formulas I is inconsistent 
iff FF L. T is consistent iff it is not inconsistent. A set of formulas T is maximal 
iff for any formula A, either A € I' or =A € T. A set of formulas I’ is deductively 
closed iff, if I - A, then A € I’. We state without proof this standard result: 


Lemma 5. Any mazimally consistent set is deductively closed. 


Extend £ to a language Lt by adding countably new constants ordered by 
a list C = c1, c2 . . .. We will say that such a constant occurs parametrically if its 
occurrence satisfies the restrictions imposed on parameters in (= V) and (1; >). 


Theorem 4. Any consistent set of formulas A can be extended to a maximally 
consistent set A* such that: 

(a) for any formula y and variable x, if “Vay € AT, then for some constant c, 
pz € At; 

(b) for any formulas p, ù and variables x, y, if (Axv)wq € At, then for some 
constant c, pY, Y? € AT and for all terms t, if o] € At, thent=ceE AT; 

(c) for any formulas q, Y and variables x, y, if ^ (Avv) € At, then for all 
terms t, either p} ¢ At, or for some constant c, p” € At and c = t ¢ At, or 


Yr g At. 


Proof. Extend A by following an enumeration ¢),¢2... of the formulas of LT 
on which every formula occurs infinitely many times as follows: 


Ap =A 

If An, dy is inconsistent, then 
Ag = Ay: 

If An, dn is consistent, then: 
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(i) If n has neither the form —^Vzq nor (Arw)eyp nor 2(Azxi))wu, then 
Anja = An, Pn. 
(ii) If n has the form ^Vzq, then 
Anel = An, “Vay, ay? 
where c is the first constant of C that does not occur in A, or dp. 
(iii) If n has the form (Azxv)tygo, then 
Anja = An, (Axp)ryy, Q2 We 
where c is the first constant of C that does not occur in A, or ¢p. 
(iv) If n has the form 7(Arw)iyy, then 

Ani = An, ~(Axry)hyg, Èn 


where X, is constructed in the following way. Take a sequence of formulas 
01,02... of the form o? — (v? — —(w! — c= t)), where t is a term in An, dn, 
and c is a constant of C not in An, Øn or any previous formulas in the sequence. 
Let 7 = t4,t2,... be an enumeration of all terms occurring in An, n. In case 
Ap contains infinitely many formulas, it must be ensured that C is not depleted 
of constants needed later. So pick constants from C by a method that ensures 
some constants are always left over for later use. The following will do. Let o1 
be yf, — (vf, — (%2, > c = t1)), where t, is the first term of 7 and c; is 
the first constant of C not in An, Gn; let o2 be o7, > (vt, — (y2, > ca = t2)), 
where tə is the second term on 7 and c» is the 2? = 4th constant of C not in 
An, n, 01. In general, let on be oz. — (Vf, > 7(y¥, — en = tn)), where t, is 
the nth term of 7 and c, is the 2"th constant of C not in An, Øn nor any oi, 
i < n. The entire collection of o;s is Xn. 


4444 is consistent if An, @n is: 
Case (i). Trivial. 


Case (ii). Suppose A,41 = An, Yzy, ^? is inconsistent. Then for some finite 
A, C An: F AN Vro, ny => L. Hence + A’, AVey => y? by deductive 
properties of negation. c does not occur in any formula in AV, nor in -Vzy, 
so it occurs parametrically, and so by (> V), F Al,,-Vayp => Vay. Hence H 
AV, => Vay, again by deductive properties of negation. But then A,—Vz is 
inconsistent, and hence so is An, ~Vxy. 


Case (iii). Suppose A, 41 = An, (Ard)yy, pY, V? is inconsistent. Then for some 
finite A’, C An, F AT, Ob), p2, Y? = L. c does not occur in A’, (Ard)ayy, 


so it occurs parametrically, and hence by (1; =), F Ac, (Arv)wqe => L, that is 
to say Al, (Axw)2yy is inconsistent, and so is An, (Ard) yy. 


Case (iv). Suppose A,41 = An, a(Ard)iyy, Xn is inconsistent. Then for some 
finite AV, C A, and a finite (0j...0,) € Xn, F A, S(AzU)we, oj... 0k > L. 
Let op be p}, — (Vf, > —^(ef, > cr = te)). Then by the deductive properties 
of implication and negation: 

FAL, Aap), 05... 0k-1 > Pi, 

F Ap (ArU)ue, 0j... Ok- = VG, 

F AL aAgd)iyy, Oj ... exi, 94, > Ck = te 
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Ck was chosen so as not to occur in any previous gi, i < k, nor in Ay, dn. 
Hence it occurs parametrically and the conditions for (= 2) are fulfilled. Thus 
FAL a Aap yy, 07 1.0K 1 > (Av)syg. But F AL,2(Nmbyue, o; 0k 3 > 
-(Azxv)ye. So A, S(AzV)wq. oj ...7%-1 is inconsistent. Repeat this process 
from ox; all the way down to c;, showing that A’,, 2(Axv)wq is inconsistent. 
Hence so is An, (Az). 


Let At be the union of all A;. At is maximal, for if neither y not ^o are in AT, 
then there is a A, C At such that Aj, o F L and Aj, F L, but then Ay is 
inconsistent, contradicting the method of construction of Ag. At is consistent, 
because otherwise some A; would have to be inconsistent, but they are not. 

A* satisfies (a) by construction. 

To see that it satisfies (b), suppose (Arq)zyp € At. Then there is a A441 = 
An, rv)wue, p”, vt, and so pY, V? € At. Suppose e € At. Then there is 
a A’ C A* such that - A’ > q9, + A’ => «f and by properties of identity 
Ht=c> t= c. But then by (1 >), - A’, (Ax)wqo > t = c, hence t = ce At 
by the deductive closure of AT. 

To see that it satisfies (c), suppose 7(Ary)zyp € AT, but for some term t, 
v? € AF, (1) for all constants c, if e € AF, then c = t € At, and v? € AT. As 
every formula occurs infinitely many times on the enumeration of formulas of £*, 
there is a A, that contains y/ and v? and A441 = An, A(Acw)ryy, Xn. Thus 
gt (vf — nlp} — b= t)) € Xn, for some constant b of C. Consequently, this 
formula is in A*, too. By the deductive properties of implication and negation 
and the deductive closure and consistency of AT, (2) o? € At and b= t ¢ At. 
But by (1) and (2), b — t € A*. Contradiction. 

'This completes the proof of Theorem 4. 


Theorem 5. /f A is a consistent set of formulas, then A is satisfiable. 


Proof. Extend A to a maximally consistent set AT as per Theorem 4. We con- 
struct a structure M = (D,I) and function v: VAR U PAR — D from At 
which will satisfy A. D is the set of equivalence classes of terms under identities 
tı = t9 € At. Denote the equivalence class to which t belongs by [t]. For all 
predicate letters P, ([t1], ..., [t4]) € I(P") iff P"(t1, ...,tn) € A+. For all variables 
v(x) = [x], and for all parameters v(a) = [a]. In these latter cases I, = v, and 
for all new constants of C, I,(c) = [c]. We'll show by induction over the number 
of logical constants (connectives, quantifiers, 2 and À symbols) in formula yọ that 
M,v E y if and only if o € AF. 


Suppose q is an atomic formula. (a) y is P” (t1, ..., tn). Then M, v = P?(ti,...,t4) 
iff (1, (t1), ..., L,(t,)) € I(P"), iff ([6]...[t4]) € I(P?), iff P^(t4,..,1,) € AF. 
(b) p is ty = to. Then M,v ~ ty = to iff I,(t1) = I, (t2), iff [t = [ta], and as 
these are equivalence classes under identities in A*, iff ti = t2 € AT. 


For the rest of the proof suppose M,v |= q if and only if y € A, where ọ has 
fewer than n connectives. We skip the standard cases of ^, ^, V (see e.g. [7]). 


Case 4. o is (Azw)t. 
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(Aaw)t € A* iff Y? € At by deductive closure of AT, iff M, v = v? by induction 
hypothesis. t must be free for x in w, hence by the substitution lemma, M,v E 
v; iff M, UT (t) = wv, iff M, vi = v and I(t) = [t], as the latter holds by 
construction of M, and this in turn is the case iff M,v = (Axy)t by the first 
semantic clause for lambda atoms. 


Case 5. y is (Axi)tyx. 

(a) If (Axv)ux Z At, then by deductive closure =(Ary)vyx € At, and so for 
all terms t, either x7 ¢ A*, or for some constant c, x¥ € At and c = t ¢ At, 
or v? ¢ At. [t] € D iff t is a term, so by induction hypothesis, for all [t] € D, 
either M,v ¥ x?, or there is a [c] € D such that M,v = x! and M,vF c= t, 
or M,v É wy. x? is the same formula as y¥%, so M,v É x77. Furthermore, x 
and y are not free in x7, so for any o € D, M,v E x? iff M,v E x?. By 
the substitution lemma, either M, UT. (1) É x¥, or M, UT. (t) F w, or there is a 
[c] € D such that M, UT, (4) L, (c) = x and M, UT, (4) To(c) É y =a. I,(t) = [t] and 
I,(c) = [c], so either M, uj) ¥ x7, or M, uj, ¥ v, or there is a [c] € D such that 
M, Ui fe] = x and M, vigi] É y= x, i.e. vigi (v) # [t]. vigie] is a y-variant of vfi) 
hence M, v É (Axib)wx. 

(b) If (Azyjhyx € AT, then for some constant c, v, x% € At and for all terms 
t, if X7 € At, then c = t € A*. By induction hypothesis, M,v = v? and 
M,v — x¥. As y is either identical to x or x is not free in x, x? is the same 
formula as x#¢ and I,,(c) = [c], so by the substitution lemma M, vj, F v and 
M, viy = x4. Furthermore, for all (| € D, if M,v H xz, then M,v = c= t, 
Le. Iy(t) = I,(c), ie. I(t) = [c]. Let v' be a y-variant of vy, i.e. v' = Ure fe)? 


for some [s] € D. Either y is identical to x or x is not free in x, so Urey fe] 
and v agree on the assignments of elements of D to all variables in y except 
possibly y, and so M, vits] = x iff M, vis] H x. So suppose now M, v' — x and 
v'(y) & [c]. v'(y) = [s], so [c] Z [s]. Then M, DA = x, and also if M, v = x?, then 
M,v = c = s, i.e. I,(s) = I,(c), ie. Iy(s) = [c]. But I,(s) = [s], so L;(s) Z [c]. 
Hence M, v ¥ x7, and so by the substitution lemma, M, vis F x. Contradiction. 


Finally, restrict the language again to the language of A: structure M con- 
structed from A* satisfies A. This completes the proof of Theorem 5. 


Theorem 6 (Completeness for Sequents). If = r > A, then H I' > A. 


Proof. Let =A be the negation of all formulas in A. If FE r => A, then 1;5A 
is not satisfiable. Hence by Theorem 5 it is inconsistent, and as they are both 
finite, F I, 5A = L. Hence by the properties of negation - [=> A. 


Theorem 7 (Completeness for Sets). If I } A, then I' - A. 


Proof. Suppose I' E: A. Then T,~A is not satisfiable, hence by Theorem 5 it is 
inconsistent and / ^A F L. So for some finite X C T, 5A, X > 1. If 2A€ X, 
then by the deductive properties of negation, X — {=A} => A, and as X — {=A} 
is certain to be a subset of T, [+ A. If =A Z X, then X = A by the properties 
of negation, and again I F A. 
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By theorem 1 and 7 we also obtain the (strong) completeness of HRL. 


6 Conclusion 


Summing up, RL saves the essential features of the Russellian approach to def- 
inite descriptions. It avoids problems like the arbitrary restriction of axiom R 
to predicate symbols and scoping difficulties. In the semantics it retains the 
reductionist Russellian flavour in the sense that DD are not characterised by an 
interpretation function, but instead they are treated as a case in the clauses of 
the forcing definition for lambda atoms. In this respect RL is different from the 
approach provided by Fitting and Mendelsohn [10] which is closer to the Fregean 
tradition. 

The rules of GRL are in principle direct counterparts of the tableau rules 
from [17] but with two important exceptions. The tableau rule corresponding to 
(= —) is not restricted to atomic formulas and the tableau rule corresponding 
to (19 =) is not branching. Its counterpart in sequent calculus would be: 


bı = bo, > A 
(Axv)to; yly/bi], ply/b2], => A 


Such a non-branching rule is certainly much better for proof search, but it is not 
possible to prove the cut elimination theorem in its presence. The same applies 
to (= —) without restriction to atomic formulas. In both cases the occurrences 
of arbitrary formulas ọ in the antecedent of the conclusion can be cut formulas 
and, in case the cut formula in the left premiss of the cut application is principal, 
it is not possible to make a reduction of the complexity of the cut formulas. 

'There is an interesting advantage of introducing the sequent characterisation 
of RL over tableau formalisation from [17]. Since no rule specific to GRL has 
more than one active formula in the succedent they are also correct in the setting 
of intuitionistic logic as characterised by Gli [34]. It is sufficient to change the 
background calculus for the intuitionistic version (with (==), (= V) split into 
two rules, and (> C),(= W) deleted) and check that all proofs from Sect. 3, 
4 hold also for a (syntactically characterised) intuitionistic version of RL. By 
comparison, the changes in the tableau setting would be rather more involved 
and connected with the introduction of labels for naming the states of knowledge 
in the constructed model. 

The approach provided here may be modified also to cover some more expres- 
sive logics (like modal ones) and some other theories of DD like those proposed 
in the context of free logics. Some preliminary work in this direction is found in 
[12] and [13]. On the other hand the problems briefly mentioned in Sect. 1 need 
serious examination and this may be carried out only after the implementation 
of the presented formal systems. This is one of the most important future tasks. 


(22 =) 
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Abstract. Term-forming operators (tfos), like iota- or epsilon-operator, 
are technical devices applied to build complex terms in formal languages. 
Although they are very useful in practice their theory is not well devel- 
oped. In the paper we provide a proof-theoretic formulation of the general 
approach to tfos provided independently by several authors like Scott, 
Hatcher, Corcoran, and compare it with an approach proposed later by 
Tennant. Eventually it is shown how the general theory can be applied 
to specific areas like Quine’s set theory NF. 
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1 Introduction 


In formal languages terms are usually treated as these elements of language 
which only refer to the objects in the domain of discourse. In particular, this way 
of treating terms is prevailing in proof theory and automated deduction where 
usually only functional terms are approved. In contrast, in natural languages, 
naming expressions are used very often not only for referring to objects but also 
for conveying information about them. In the earlier stages of development of 
mathematical logic several formal devices were introduced for this aim which 
currently are rather neglected. These term-forming operators, also called shortly 
tfos or vbtos (variable binding term operators), include, among others: 


— iota-operator (Peano): «xq - the (only) x such that v; 

— epsilon-operator (Hilbert): exp - a(n) x such that q; 

— abstraction-operator: {x : y} - the set of (all) x satisfying 4; 
— counting-operator (Frege): fay - the number of x such that o; 
— lambda-operator (Church): Axy - the property of being y. 
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It seems that currently only the lambda-operator is treated as an important 
tool and found diverse applications in recursion theory, type theory and proof 
theory. Abstraction-operator, although commonly used in practice, is rather not 
treated seriously in the formal development of set theories. The remaining ones 
are sadly treated as formal tools having only some historical value. Since the role 
of complex terms as information conveying tools is crucial in communication it 
is important to fill this gap. 

Recently, some more attention was paid to proof theory of definite descrip- 
tions. In particular, cut-free sequent calculi were provided for Fregean [11], Rus- 
sellian [17] and free description theories [13]. The latter theories were also char- 
acterised in terms of tableau systems [18] and tableau calculus was also used to 
develop a Russelian theory in the language enriched with lambda-operator [19]. 
Some modal logics of definite descriptions were also developed in terms of cut- 
free sequent calculus [10], in particular, the logic of Fitting and Mendelsohn [5] 
was independently formalised as a labelled sequent calculus [28] and as a hybrid 
system [12]. Alternatively, interesting natural deduction and sequent calculi were 
proposed for free and intuitionistic logics of definite descriptions characterised 
in terms of binary quantifier [21-25]. 

Since definite descriptions are amenable to proof theoretic treatment it is 
tempting to suspect that for other tfos we can obtain equally interesting results. 
Perhaps one should start with posing a question whether a general theory of 
such operators is possible? In fact at least two different attempts to develop such 
a theory were proposed. The earlier approach was independently introduced by 
several authors, including: Scott [32], Da Costa [3,4], Hatcher [7,8], Corcoran and 
Herring [1,2]. It was formulated semantically and as an axiomatic theory. In what 
follows it will be called simply S-theory (after Scott). The second approach was 
introduced by Neil Tennant [33], and then developed in [35] as a general theory of 
abstraction operators (see also [34,36]). This T-theory was formulated in terms 
of natural deduction system and with adequate semantical characterisation. In 
what follows we will examine these two approaches and show how they can be 
formulated as well-behaved sequent calculi in Sect. 3. Then, in Sect. 4 we consider 
their specification with respect to set-abstraction operator. For this aim we focus 
on Quine's version of set theory NF (New Foundations) [29] (see also [30]) but 
the proposed systems may be modified to apply to other formulations of set 
theory as well. 


2 Preliminaries 


We will be using standard first-order predicate languages with quantifiers V, J, 
identity predicate = and arbitrary term-forming operator 7 making complex 
terms from formulae of the language. The definition of a term and formula is 
standard, by simultaneous recursion on both categories. In the presented system 
the only terms are variables and complex terms constructed by means of arbi- 
trary unary tfo r. The complex terms are written as Txy where y is a formula 
in the scope of respective operator. 
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In accordance with Gentzen’s custom we divide individual variables into 
bound VAR = (z,y, z,...} and free variables (parameters) PAR = {a,b,c,...}. 
It makes easier an elaboration of some technical issues concerning substitution 
and proof transformations. In the metalanguage y,~,y denote any formulae 
and T, A, IT, X their multisets. Metavariables t,t,,... denote arbitrary terms. 
y|ti/t2] is officially used for the operation of correct substitution of a term t» 
for all occurrences of a term t, (a variable or parameter) in y, and similarly 
I'|t4/t5] for a uniform substitution in all formulae in I’. Ocassionally, we will use 
simplified notation y(t) to denote the result of correct substitution. 

First-order logic in general will be abbreviated as FOL or FOLI if identity is 
primitive. CFOL(I), PFFOL(I), NFFOL(T) denote the classical, positive free and 
negative free versions. The basic system GC for CFOL consists of the following 
rules: 


r= 4,9 p, I > X 
Cut AX) et > A, 
(Cut) LH-cAEX Y d 
r> r> r> 
C=) ETE (pd mm (w. má 
~, l" > A r => A, ~ oA 
D-—A r> D-—A r> 
(sa) =A," =A,y A ev (2W) => 
r= A, p^ p^wv,l-—A T>A,¢ 
(v=) QUA rsa DA (C9) p,p r => A 
eyy r= T>S>A,pvy $124 
RES D—Ao0 — wvD—A ) QA (2C) r= 4A, p,p 
ypoyrsa r>p>A,powu D-—4A, 
ues IA o poWIA ) e[z/t], I A (23) T= A, lx/t] 
gy4, "=> A Yzy, "=> A r= Ax 
Gu) LA ADS Ae Aeled gp) Hea To A 
I— A,pow r= A Nro dey, l => A 


where a is a fresh parameter (eigenvariable), not present in I, A and q. 
If instead of (Y=) and (23) we introduce: 
v>) e[z/t], r= A T= A, [z/b] 
Yro, "=> A r= A, Jro 


(3) 


we obtain a pure variant GPC which is adequate for CFOL with variables as the 
only terms but in general incomplete for extensions with some tfos. 

'The variant GF for PFFOL can be obtained by changing all quantifier rules 
into: 


o[r/t], => A Ea, A, v[r/a] 


F F 
Wr) Et, Yx, => A C09 r= A, Vey 
= Ea,o[v/a, I A , _ T= A, ¢|x/t] 
E F q)\F 
eet) dey,r> A i) Et, D Adae 
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where E is the existence predicate, which is usually defined as Et := da(xz = t). 
This form of rules follows from the fact that in free logics terms may designate 
nonexistent objects whereas quantifiers have existential import. For pure version 
GPF again we use b instead of t in (V>)* and (—3)F. 
Moreover, in negative free logic atomic formulae with such terms are false 
which implies that Et — t — t and y(t) — Et, for any atomic formula y. Hence 
to obtain GNF (or GPNF) for NFFOL we have to add to GF (or GPF) the rule 
requiring all predicates to be strict in the sense that they are satisfied only by 
denoting terms: 
Et, DA 
c(t), T= A 


Identity can be characterised in GC (GPC) and GF (GPF) in several ways 
(see [16]). For our purposes we use the following rules: 
t=t, T> A r> A,ti=t r> t 
’ (2LL) sri 2 , plz/ 1] 
T = A, yļz/t2] 


(Str) 


where ¢ is atomic. 


where q is atomic. 

GCI, GPCI, GFI, GPFI will denote the respective calculi with the rules for 
identity added. In case of NFFOLI, due to strictness condition, reflexivity does 
not hold unconditionally and we must weaken the first rule, using instead: 


=t, >A 
(Ref) FSA 


GNFI, GPNFI will denote the respective calculi for NFFOLI with the rules 
for identity having (Ref)N 

Proofs are defined in the standard way as finite trees with nodes labelled 
by sequents. The height of a proof D of l' = A is defined as the number of 
nodes of the longest branch in D. Fk IT => A means that l => A has a proof 
with height at most k. Let us recall that formulae displayed in the schemata 
are active, whereas the remaining ones are parametric, or form a context. In 
particular, all active formulae in the premisses are called side formulae, and the 
one in the conclusion is the principal formula of the respective rule application. 

Note that the Cut-elimination theorem holds for all above mentioned calculi 
(see e.g. [15]) and the full Leibniz Law LL: tı = to, p|x/tı] > qv[x/t»] (for 
arbitrary formula y) is also provable. 


3 The General Theory 


'The S-theory of tfos is expressed by two general principles: 
EXT: Va(y(2) > v(x)) ^ Tag(x) = rzv(x) 
AV: rav(a) = rye(y) 


or, equivalently, by one principle: 


EXTAV: Vay(a2 = y > (y(x) e wv(y)) > rze(x) = ryv(y) 
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Such a general theory was first developed on the basis of positive free first- 
order logic with identity by Scott [32]. However, the remaining authors used 
the classical first-order logic with identity as the basis. In both cases the gen- 
eral completeness theorem was provided and several important model theoretic 
results which hold for CFOLI (see in particular Da Costa [4]). In what follows, 
we will pay more attention to classical case since for several kinds of tfos, in 
particular for descriptions, it is rather difficult to find reasonable theories, in 
contrast to the situation in free logic (see [26]). 

Several possible objections can be raised against such a theory. In a sense it 
is too general and too weak, on the other hand, for specific kind of operators it 
may be too strong, in particular in the setting of classical logic. Let us illustrate 
these remarks with some examples. For example, for w-operator Rosser [30] is 
enforced to add (in CFOLI) to EXT and AV the following axiom: 


diae(x) > Vax = wry(x) > p(x)) 


which still gives incomplete logic as noticed by Hailperin [6]. Da Costa [4] 
adds: 


1wyp(x) > Va(a = ıxy(x) — q(x)) and 


cHyane(a) > wg(v) = x(x # 1) 


In fact, the theory of descriptions axiomatised by the addition of these two 
axioms to EXT and AV is redundant, since the latter principles can be proven 
with their help. This theory is in fact equivalent to Fregean/Carnapian theory of 
descriptions (often called the chosen object theory), in particular in the formu- 
lation of Kalish and Montague [20]. However, we call an S-theory every theory 
of arbitrary tfo where EXT and AV hold either as axioms or as derived theses. 

On the other hand, for some theories of definite descriptions these two princi- 
ples are too strong. For example, in the Russellian theory [31,37] both principles 
do not hold. Instead we have their weaker versions: 


wEXT: Eury(x) > ((p(@) => (x) > we(z) = w(x) 
wAV: Ewp(r) > we(x) = we(y). 


In other cases of tfos, like set-abstraction operator or counting operator, EXT 
may be even more disastrous, since for the latter it yields one half of the Fregean 
ill-famed V law, in fact this half which is sufficient for deriving contradiction. 
Similar problems with set-abstraction will be discussed below. 


3.1 The Formalisation of S- Theory 


'To obtain an adequate sequent calculus for S-theory we add to GCI the following 
two rules: 
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g(a), r= A, pla) — pla), D = A, (a) 
I => A, Tzylx) = reyp(s) 


Tap(x) = Typy), T= A 


Ext 
(ERO r= A 


(AV) 


where a is a fresh parameter. 
Alternatively, we can add just one rule corresponding to EXTAV: 


a = b, pla), D = A,w(b) a — b,v(b), D = A, y(a) 
T = A,rxp(z) = Tryy(y) 


where both a,b are fresh parameters. 


Theorem 1. GCI+{ (Ext), (AV)} and GCIH(ExtAV)} are equivalent to 
axiomatic formulations of S-theory of tfos. 


Proof. It is sufficient to prove respective axioms in GCI+{(E£at),(AV)} or in 
GCI+{(E£atAV)} and to show that the above rules are derivable in GCI with 
added axioms EXT, AV or EXTAV. We will show this for the more compact 
version with (ExtAV) and EXTAV; proofs for the remaining rules and axioms 
are similar and simpler. Provability of EXTAV: 


(a) trina eic) «VD, ete) (0) 

OEEC OET ORELIT OEO 
Vaya — y > (ola) > OAOE vb D 

Bare) (y))) > rela) = ryd(y) 


where the rightmost leaf is provable and D is an analogous proof of Vxy(x = 


y > (p(z) = v(y))); a = b, v(b) = va). 
Derivability of (ExtAV): 


a =b, (a), P = A,v(b) a = b, (b),P => A, y(a) 


(29) Tr a=b,I => A, yla) e v(b) 
(2. V) T => 4A,a =b —> (y(a) = v(b)) 
(Cut) T > A, Yzy(z = y > (y(x) = v(y)) D 


T > A, Tzo(z) = ryv(y) 


where both leaves are premisses and D is a proof of Vzy(x = y — (y(x) 
v(y))) > rze(x) = ryv(y) from the axiom > EXTAV. 


Let us consider the question of cut elimination for either of the two for- 
malisations of S-theory. We can observe that the choice of the rule (2LL) for 
representation of LL was connected with the shape of (Ext) or (ExtAV). In 
both calculi identities can appear as the principal formulae of some rule applica- 
tion only in the succedent. This makes it safe for proving cut elimination since 
identities in antecedents can only appear either as parametric formulae or as for- 
mulae introduced by weakening. In both cases if identity is a cut formula under 
consideration it is eliminable either by induction on the height of cut or directly. 
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Still there is a problem connected with the application of (V =) and (= 3) to 
complex terms. If for example Vzq is a cut formula which was in both premisses 
of cut introduced as the principal formula, and in the right premiss z was instan- 
tiated with rywv, then the formula o[x/ryv] may have higher complexity than 
Vay and the induction on the complexity of cut formulae fails. This problem 
may be overcome either by introduction of more complex way of measuring the 
complexity of formulae (see e.g. [11]) or by replacing the basic calculus GCI with 
its pure version GPCI. Of course, the restriction of all quantifier rules to param- 
eters makes the calculus with complex terms incomplete. However, to avoid the 
loss of generality we can add to GPCI the rule: 


a = Tzo(x), T > A 
rsa 


(a =) 


where a is a fresh parameter. 


Theorem 2. The calculus GPCI+{ (Ext), (AV)) (or GPCI+{(ExtAV)}) with 
added (a =) is equivalent to GCI+{(Ext),(AV)} (or GCI+{(EatAV)}) 


Proof. It is enough to show that (a =) is derivable in GCI: 


=) 7 Teple) = reola) ü-TEp(LI-—-A 2 
ph => dy(y = rao(z)) Jyly = rzw(z)), I > A (A=) 
I-A 


and that unrestricted (V =), (= 3) are derivable in GPC with (a =>): 


T => A, p(rry(z))  —— e(rxv(z)),a- rzv(r) > p(a) 
_ a=Taew(x), T => A, y(a) 
ads. a = rxwW(r),D > Adv 
a=) Ts AJ» 
where the rightmost sequent being an instance of LL is provable. Similar proof 
works for (V =>). 


(Cut) 


Let us call GPCL-((Ezt), (AV)) (or GPCI+{(EatAV)}) with added (a =>) 
simply GS (GS’). Note that for both systems the following lemma holds: 


Lemma 1. 1. | ti = to, plz /tı] > v[v/to], for any formula o. 
2. If -& T 2 A, then Fp I'[bi/b2] > Albi /b2], where k is the height of a proof. 


Proof. 1. follows by induction on the complexity of y and is standard for all 
cases. The proof of 2 is by induction on the height of proofs. 


The first result is Leibniz’ Law (LL) stated in full generality, i.e. covering also 
complex terms. Since (2L L) yields only LL restricted to atomic formulae, we need 
its unrestricted form for completeness. The second result is a substitution lemma 
which is necessary for unifying terms while proving the cut elimination theorem. 
Note that it is restricted to parameters only but in the case of GS (GS), which 
is an extension of GPCI, it is sufficient since only parameters are instantiated 
for bound variables in all applications of quantifier rules. 
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Theorem 3. The cut elimination theorem holds for GS and GS’. 


Proof. The proof is standard and essentially requires two inductions: on the 
complexity of cut formula and on the height of the derivations of both premisses 
of cut. In general we can follow the strategy applied for example in [15]; here we 
focus only on the crucial points connected with the new rules which could lead 
to troubles. 

Consider the situation where the cut formula in the left premiss is the prin- 
cipal formula of the application of (2LL). It is an atomic formula, possibly an 
identity. Since in no logical rule atomic formula in the antecedent can be a prin- 
cipal formula, so in the right premiss a suitable cut formula is either introduced 
by weakening or is just a parametric formula. In the first case it is directly elim- 
inated, in the second it is eliminated by induction on the height of the proof. 
The case where the right premiss is axiomatic is also directly eliminable. 

The cases where in the left premiss the cut formula is the principal formula 
of the application of (Ext) or (ExtAV) are treated in a similar way. Eventually, 
rules like (AV) or (a =) have no impact on the elimination of cuts since there 
are no principal formulae in the conclusion. 


Although we cannot totally avoid the loss of the subformula property in GS 
and GS', the introduction of complex terms is separated from quantifier rules 
and technically it is more desirable. In fact, from the semantic point of view we 
are not really in need of introducing an arbitrary complex term in the premiss 
while doing a proof-search. The rule is required only for these terms which either 
occur already in I’, A, or have in their scope the formulae from T, A. It can be 
shown by providing Hintikka-style completeness proof for this system which is 
possible since Henkin-style proofs were provided by the mentioned authors; we 
omit the details because of space restrictions. 

In fact, for the needs of proof-search we could simplify GS (GS) a little bit. 
In particular we could use a more convenient one-premiss rule of Negri and von 
Plato [27] for LL of the form: 


q (t3), T =A 


1LL 
( ) tı = t2, (t1), IA 


for all cases where at least one of tı, t2 is a parameter and (t1) is not an identity 
with both arguments being complex terms. In fact, the only troublesome cases 
of LL which could make a clash in the proof of cut elimination are three: 


1. b=tt=t>b=ť 


2. t=tť, pt) > yt) 
3. t— t, t =t S t — uU" 


where t, t' are complex terms, and only for these cases a two-premiss rule (2LL) 
is necessary. 
Also note that instead of (Ref) we can use more restricted version: 
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b=b > A 
DA 


since Txp(x) = rzq(zx) is derivable by (Ext) or (ExtAV). 


(ef^) 


3.2 The Formalisation of T-Theory 


'The theory of abstraction-operators developed by Tennant, which we call here a 
T-theory of tfos, is generally much stronger than S-theory. But we must empha- 
size that it is formulated in the setting of much weaker logic, namely NFFOLI 
(negative free FOLI), where not only quantifier rules are weaker but also the 
identity is not (unconditionally) reflexive. 

Tennant’s theory of tfo is based on the following natural deduction rules: 


(TI) If y(a), Ea F aRt and aRt F (a) and Et, then t = rzq(x); 
(rE1) If t 2 Txg(x) and o(b) and Eb, then bRt 

(rE2) If t = TrqQ(x), then Et 

(rE3) If t = TrQ(x) and bRt, then (b) 


where a is an eigenvariable, and R is a specific relation involved in the charac- 
terisation of r. For example, R is — for the case of ?, and € for set-abstraction 
operator. The corresponding sequent rules are: 


[= A, Et Ea, (a), D 2 A,aRt aRt, I' => A, (a) 
I => A,t = Tro(x) 


(= 7) 
where a is not in T, A, yp 


I => A, Eb I => A, (b) I => A,t=ra«y(2) 


(r T= A,bRt 
I => A,t = Tro(x) 
prc To 
T => A,bRt D-—Au4- 
Suny ET „t= ragla) 


T = A, p(b) 


To get more standard SC we can apply the rule-generation theorem (see e.g. 
[14]) and obtain left introduction rules for 7: 


r => A, Eb I = A, (b) bRt, D — A 
t = Trzo(z), T => A 


(r — 1) 
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r > A,bRt eb), F => A 


pv t= rzo(xz), T => A 


Note that if we transfer these rules to the setting of CFOLI we do not need 
formulae of the form Et, and the rule (7 = 2), being specific to negative free 
logic, is superfluous. As a result we obtain the following three rules: 


la), T = A,aRt aRt, D — A, yla) 
I => A,t = Tro(x) 


(> 7) 


where a is not in T, A, yp 


Tr = A, (b) bRt r > A 
t= Trro(z), T => A 


(r=) 


r > A,bRt b), r >A 


(E= t= Try(xz), l => A 


In general what we obtain with these rules is equivalent to the following 
principle, often called Lambert axiom: 


LA: Vy(y = Tryl(x) > Yx(y(x) o zRy)) 


which is derivable also in the setting of NFFOLI. In the setting of CFOLI it is 
equivalent to Hintikka axiom: 


HA: t= rzo(x) o Yz(y(x) e xRt) 


for which we demonstrate syntactically the equivalence with the stated rules. In 
one direction we have: 


v[r/a] > v[x/a] aRt — aRt aRt > aRt e[r/a] > v[v/a] 
t = T2xy(x), y[x/a] > aRt t=rT2y(x),aRt > y[x/a] 


( 


(T=) 
(=<) 


t=T«rp(x) > p|x/a] > aRt 
t = Trzo(x) > Vr(p(r) cRt) 


In the second direction: 


(=> aRt > aRt y[x/a] > v[x/a] g[x/a] > v[x/a] aRt — aRt 
e[r/a] > aRt, aRt > v[x/a] vc[r/a] = aRt, e[r/a] > aRt 
) Vz(o(r)- rRt),aRt > e[v/a] Vr(o(r)-e «Rt), o[r/a] > aRt 


Vr(p(r)e Rt) > t = Trzo(zx) 


Derivability of the specific rules is straightforward. Notice that from HA as 
additional axioms we obtain: 


(a) t = Trzy(x) > Yz(y(x) = xRt) and 
(b) Yz(y(x) > zRt)-—t-Tze(x). 


From the premisses of any variant of (r =), applying weakening we deduce: 
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) I = A,bRt, p|x/b] bRt, o[x/t], T => A 


pla/b] o bRt, r => A 
Vz(y(x) > Rt), T > A 


vs) 


which, by cut with (a) yields the conclusion of (r =). In a similar way we deduce 
I => A,Yx((x) © xRt) from premisses of (> 7), and by cut with (b) we obtain 
the conclusion of this rule. 

One should note that T-theory is much stronger than S-theory; both central 
principles EXT and AV are provable (in fact even in the setting of NFFOLI by 
means of the weaker rules). 


aRrey(2) > aRrey(2)  ẹlæ/a], plx/a] > v[z/a] = vi[z/a] 
(nef) LLO = TH), eled o vlera, areola) => Pera 
MEEECLEEUDENZTOEZIUL 
BZCOBREZONUOEEND D 
Va(e(@) © v(z)) > Teele) = re(z) 


(F 


where the second leaf is directly provable and D is an analogous proof of 
Ve(p(z) > v(z)), ylz/a] > aRrag(a). 


(n aHrzQ(r)- aHrze(z) e[r/a] > vly/a] vly/a] = v[r/a] aRrTzQ(r)- aRrxey(«) 
ER rep(«) = Trze(z), aRrzQ(x) > e[y/a] TzQ(r)-— Txryp(x), e[y/a] > aRTze(z) 
i aRrap(x) = p[y/a] ply/a] = aRrze(z) 
(+7) 
=> Txp(x) = rye(y) 


Note that y|x/a] and y[y/a] are identical since y(x) and (y) are alphabetic 
variants. 
One may even prove the converse of EXT: 


ip ve[r/a] > v[v/a] aRTrzo(r)-— aRTrzo(r) 
(Ref) TX«(x)-— rzo(x),o[r/a] > aRTre(x) 
NEMECDEXLZTO wle/a] > za] 
Tepla) = rav (5), ole/a]  Vis/a] D 


Txyp(x) = rox) = v[v/a] = v[r/a] 


(> v) = 
Tap(«) = rev(z) > Valp) > V(@) 


where D is a similar proof of rzo(x) = trav (x), y|x/a] > v[r/a]. 
To realise how strong is this principle on the ground of CFOLI notice that 
when t is instantiated with ray(x) we obtain: 


Try(x) = rxo(x) o Va(y(x) 9 vRrrxq(x)). 
which by (unrestricted) reflexivity of — yields: 
Va(o(r)e zRrzxp(x)). 


For several term-forming operators, at least on the ground of CFOLI, it is 
too strong. For example if we instantiate this principle with iota-operator (where 
Ris — ) we run into contradiction: 
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1. u(Ax A AA) = ix(Ax ^ S Ax) > Va(Az ^ nAz e z —a(Az ^—Ax)) 

2. ax(Az ^ S Az) = 12(Ax ^ Ax) 

3. Vz(Ax ^ Ax e x = (Axr ^ Ax)) 1, 2 

4. A(ax( Ax ^ 5Ax)) ^ 2 A(ur( Ay ^ ^Ax)) e (Ax ^ Ax) = ux (Ax ^ 5Ax)) 3 
5. A(ux(Ax ^ 5 Ax)) ^ ^ A(1x( Av ^ ^Ax)) 4, 2 


Similarly in the case of set-abstraction operator (where R is €) we obtain just 
unrestricted axiom of comprehension which immediately leads to Russell’s para- 
dox. Hence it is crucial to establish what is R for the specific tfo to decide if Ten- 
nant’s rules may be safely added to GCI or GPCI. Therefore, we do not attempt 
here to state T-theory as a general calculus GT. Instead we will consider in the 
next section the application of his theory to set-abstraction operator, since even in 
this context one may introduce restrictions which can prevent us against troubles. 


4 Application to Set-Abstracts 


Several kinds of set theory with set-abstraction operator as primitive can be 
rather easily developed on the basis of S- or T-theory as formalised in the pre- 
ceding section. In fact, both Scott [32] and Tennant [33] applied their theories 
to set-abstract operators but in the context of free logic the unrestricted axiom 
of comprehension does not lead to Russell’s paradox. However we work here in 
the setting of CFOL so the rules responsible for its derivation must be somehow 
restricted. For these reasons we decided to examine the possible formalisations 
of Quine's NF (New Foundations) as developed in [30], where the comprehen- 
sion axiom is suitably restricted by means of the outer syntactic side condition 
which is independent of the structure of rules. In fact, NF is not very popular 
formalisation of set theory due to some peculiarities. However, it has also several 
advantages which we are not going to discuss here because of the space restric- 
tions!. In particular, the syntactic simplicity of NF make it a very convenient 
theory for proof-theoretic investigations. 

Before we focus on sequent calculi for NF let us start with some general pre- 
liminaries concerning arbitrary formalisation of set theory. It often goes unno- 
ticed that it may be developed in the language where only € is a primitive 
predicate or in the language with — primitive, which is rather more popular 
choice. In the latter case we assume that we have already some axioms/rules for 
= , so the only specific axiom we need for sets is: 


EzxtAz:Vzy(Vz(z € £x 5 z€y)— v—y) 
since the converse is already provable by LL. 


If we start with CFOL (only € primitive), — may be defined either in the 
Leibnizian spirit: 


=}: tat :=Ve(tezot ez) 


' See in particular its presentation in [30] and discussion in [8,9]. 
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or in the way Quine prefers: 
EQ; tat = Ve(z Ete ze?) 


The first choice leads to the standard characterisation of = and the axiom 
ExtAz is still required. The second one is different since Ext Ax is provable but 
still we cannot obtain the full characterisation of identity. Therefore we must 
add a special form of LL as an extensionality axiom: 


ExtAx': Yryz(x = y > (x E€ z — y € z)) 


and this is the way Quine proceeded with the development of NF. The second 
axiom is the axiom of abstraction: 


ABS: Vz(x € {y : v(y)) o elv/z]) 


where y is stratified. Assuming that the only predicate is € this condition may 
be defined roughly as follows: it is possible to define a mapping from variables of 
q into integers in a way that for each atom we have i € i+ 1. In case we admit 
=, a mapping should yield 4 = i. In what follows we will admit both kinds of 
formulae as atomic, briefly called €-atoms and —-atoms. 

We will consider two approaches to construction of cut-free sequent calculus 
for NF. Although the rules (Ext), (AV) will be not primitive but derivable in 
both, the first one, following closely Quinean formulation, is closer to the general 
GS, whereas the second starts with Tennant’s rules suitably restricted. 


4.1 The S-Approach to NF 


There is no sense to take the instances of (Ext) and (AV) as primitive rules 
since it will not save us from addition of most of the specific rules for set- 
abstraction operators and —. So it is better to follow quite closely the original 
Quinean axiomatisation of NF. A difference with the latter is connected with 
the treatment of identity, since we take it as a primitive predicate characterised 
by rules. However, we do not take the primitive rules of GPCI for identity as 
primitive but rather provide new rules based on =@. Hence we take GPC as the 
basis and add: 


ac€t,I'—- Aact act'l-—Aact 
Ts>A,t=t 


(>=) 


r> Abet ber betbeEet, rA 
FELT SA 


(=>) 


These rules correspond to —9. Moreover, we add two rules corresponding to the 
axiom ABS: 


o[r/t], => A 
te {x: ylx)}, T= A 


I A, pla /t] 
T= A,t € {x: y(x)} 


(Abs =>) (= Abs) 
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with q stratified. 

We omit easy proofs of the equivalence of stated rules with respective axioms: 
ABS and the object language counterpart of —9. Proofs of these axioms, as well 
as derivability of our rules in GPC enriched with axiomatic sequents expressing 
ABS and — are straightforward and similar to proofs from Theorem 1. Instead 
we will show that although we have neither (Ext) nor (AV) as primitive rules 
they are derivable in such a system for stratified q. 


Lemma 2. Derivability of (Ext) and (AV) 


Proof. : 


g(a), P = A, $a) Pla), P > A, pla) 
a € (z:q(z)), T > A,a€ {x :v(x)) a € {x : y(x)}, T > 4,a E {x : v(ax)} 
T> A, {0 p0) = (e: Ye} 


(Abs = Abs) 
( t€ 


The proof of (AV) or alternatively, of (Ext AV) is similar. 


But the rules (>=) and (==>) are not sufficient for obtaining the complete 
characterisation of identity in NF. In particular they are not sufficient for the 
case corresponding to the specific instance of LL expressed by the axiom Ext Az' 
Note that in general we must be able to prove: 


lL t— t.t 2t — t — t" 


2. t—- tlt ct t" et 
3. t— l'ite t" S v! etl 


With case 1 there is no problem; it is derivable by (>=), (==), similarly 
as other properties of =, including reflexivity and symmetry. The case 2 would 
be provable by (==) provided instead of b we are allowed to use any term 
t". So this case is problematic and needs reformulation of the rules which in 
general destroys the subformula property and may be troublesome in proving 
the cut elimination theorem. The case 3 corresponds exactly to ExtAx’ and 
requires a separate rule which possibly covers also the case 2. To avoid troubles 
we might follow the general solution introduced for GS and use the rule (2LL) 
as two-premiss right-sided rule but it does not work since (Abs —) introduces 
an €-atom as a principal formula in the antecedent. As a result while proving 
cut elimination we cannot make a reduction of the following cut instance: 


r> A,t=ť r> A, t € {x: yp} e(t), II 2 X 
r= A,te{x: p} te(z:oghIlx 
TISAY 


(2LL) (Abs =>) 


(Cut) 


It seems that in the presence of (Abs =) and (= Abs) the only solution is to 
add a 3-premiss version of LL: 
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PsaA,t=t r => A, y(t) y(t’), r= A 
r= 


(3LL) 


where y(t) and y(t’) are either t” € t and t" € t' or t € t” and t € t". 
Summing up we obtain a system GSNF which adds to GPC the following 
rules: (==), (>=), (Abs =), (= Abs) and (3LL) ((Ref) is derivable). 


Theorem 4. GSNF is an adequate formalisation of NF. 


Moreover the cut elimination theorem can be proved for GSNF in a similar 
fashion as in [13] where similar solution was provided for sequent calculi for 
free description theories. Note however that the situation with the subformula 
property is even worse than in GS (GS’) due to the presence of (3LL). Is it 
possible to obtain a better formalisation of NF by means of Tennant's rules? 


4.2 The T-Approach to NF 


If we want to apply the approach of Tennant to NF we have — as a primitive 
predicate not only present in the language but already characterised by specific 
rules so we start with GPCI and add the following Tennant's-style rules: 


pla), > A,aact act, => A, yla) 


(=:) Tr => 4,t= {x : o(x)} 
o~n FSA vl) bet roa 
(=) t-í(z:e(z),I—4A 
oo) La Aet (b), > A 


t={a:y(a)}, CSA 


where a is not in T, A, y, t is any term and q is stratified. 

Note that (Ext) and (AV) are derivable which follows from the proofs of 
EXT and AV presented in Sect. 3.2. As we noticed there, also the axiom ABS is 
provable, so we do not need special rules (Abs =), (= Abs) too. We do not need 
to care even about the axiom EztAz since it is provable: 


(v c€axvcé€b,c€asaA,cedb ccacecctcb,ccb-cca 
~ Vz(z €az€b),c€ascedb Vz(z€acz€b)cebscéa c€b-ceb iis 
i YVz(z €a œ z €b) 5 a= {r:r €b} Zp ee Eb i 


(2LL) 


i Vz(z€aez€b)-acb 


Vz(z€a e z€b)>a=b 


> Vzy(Vz(z € x => z € y) > x = y) 


146 A. Indrzejczak 


It seems that T-approach is better than S-approach to NF since it is more 
economical. However, if we think about cut elimination we must consider care- 
fully the problem of primitive rules for identity. Although we first stated that we 
add the special Tennant’s-style rules to GPCI and we used (2LL) in the above 
proof it seems that we cannot keep (2LL) since in general we face the same prob- 
lem with cut elimination as in the case of S-system illustrated in Subsect. 4.1. To 
prove the cut elimination theorem we must again either generally replace (2LL) 
with (3ZL) or to follow the strategy introduced in [17] and separate the rules 
for LL dealing with special cases of atomic formulae. One possibility is to keep: 


r> A,t=ť r = A, y(t) 


ed I-A 


for y being €-atom and restrict (3LL) only to —-atoms: 


rs>A,t=t [> A,t=t" t= TSA 
rss 
This way we obtain a system GTNF which adds to GPC the rules: (:=), (=: 


), (2DL’), (3LL’), (Ref). (2LL/) deals only with €-atoms and all properties of 
identity are derivable by (Ref) and (3LL). 


(3LL’) 


Theorem 5. GTNF is an adequate formalisation of NF. 


The cut elimination theorem is provable for GTNF as well. Unfortunately, 
the situation with the subformula property is similar to that in the system GSNF 
from the preceding subsection. However, there are possible some simplifications 
obtained by reduction of the applications of (3DL’) if at least two of t, t’, t” are 
parameters. Consider the cases with at most one term t complex: 


a=ba=c>b=c 
t=b,t=c>b=c 

.a=ta=bst=b 
.a=ba=t>b=t 


ASNH 


(2LL/) may be modified to cover identities from case 1 and 2: 


rsAt=t rsA,¢lt) 
r => 4, (t) 


(2LL") 


for y(t’) being €-atom or =-atom of the form b = c (a third term in the premisses 
may be complex or a parameter). For cases 3 and 4 we may add the rules: 


r= 4a=t t=b > A 
a=b >A 


(Tr) 
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D-—Aa-t b—tD—A 

a=b > A 
Any of them will do the task. For example, if we take (E) we have a direct proof 
of 4 and the following proof of 3: 


(E) 


a=ta=bs>t=bD 


As a result we have to keep (3LL/) only for all cases where at least two of 
t,t’, t” are complex terms at the price of adding (Tr) or (E). Let us call such a 
modified system GTNF’. 


5 Conclusion 


We have provided a proof theoretic treatment of the general theory of tfos intro- 
duced independently by several authors (S-theory), and proposed a modification 
of a different approach (T-theory) in a way which allows us to compare their 
relative strength. Moreover, we examined the ways in which both approaches 
may be extended to cover set theory NF of Quine. All obtained sequent systems 
satisfy the cut elimination theorem, but do not satisfy the subformula property. 
Hence, in the case of the systems for NF, we cannot obtain a syntactical consis- 
tency proof on the basis of the cut elimination theorem, because of the rules like 
(3LL). Still these systems, in particular a system GTNF described in the last 
subsection, allow us to keep a stricter control over the construction of proof. 

'The natural next step of this research is connected with the application of, 
possibly modified, systems GS, GS’, or (suitably restricted) rules of Tennant's 
approach, to other kinds of term-forming operators, and careful examination of 
their specific features. 

Eventually it is also interesting to investigate if the obtained systems allow us 
to prove other desirable properties in constructive way. One of such important 
points is the interpolation theorem. Since it was proved semantically for the 
general S-theory in [4], it is an important task to find a constructive proof as 
well. However, the method of split-sequents due to Maehara, which is usually 
applied in the setting of sequent calculi, fails for the presented systems since 
it does not work with rules like (a =). The problem is connected with the fact 
that the complex term occuring in the active formula in the premiss may contain 
some predicates which do not occur in the rest of the respective division of a 
split-sequent but occur in the interpolant (and of course in the other division of a 
split-sequent). In this case the interpolant of the premiss fails to be an interpolant 
of the conclusion, where the active formula is deleted. Only the weaker form of 
interpolation can be proved in which we require that interpolants have only 
parameters (but not predicates) common to both divisions of the split-sequent. 
It is an open problem if such difficulties can be overcome. 
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Abstract. Noting that lemmas are a key feature of mathematics, we 
engage in an investigation of the role of lemmas in automated theo- 
rem proving. The paper describes experiments with a combined system 
involving learning technology that generates useful lemmas for auto- 
mated theorem provers, demonstrating improvement for several repre- 
sentative systems and solving a hard problem not solved by any system 
for twenty years. By focusing on condensed detachment problems we sim- 
plify the setting considerably, allowing us to get at the essence of lemmas 
and their role in proof search. 


1 Introduction 


Mathematics is built in a carefully structured way, with many disciplines and 
subdisciplines. These are characterized by concepts, definitions, axioms, theo- 
rems, lemmas, and so forth. There is no doubt that this inherent structure of 
mathematics is part of the discipline’s long-lasting success. 

Research into Automated Theorem Proving (ATP) to date has taken little 
notice of the information provided by this structure. Even state-of-the-art ATP 
systems ingest a conjecture together with pertinent definitions and axioms in a 
way completely agnostic to their place in the mathematical structure. A compar- 
atively small but nevertheless important part of the structure of mathematics is 
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the identification and application of lemmas. It is this aspect which is the focus 
of the work presented here. 

The purpose of lemmas in mathematics is at least threefold. First, and per- 
haps most importantly, lemmas support the search for proofs of assertions. If 
some lemma applies to a given problem, a proof may be found more easily. Sec- 
ond, it is often the case that a lemma may be applied more than once. If this 
happens, its use will shorten the length of the overall proof since the proof of 
the lemma need only be carried out once, not repeatedly for every application. 
Third, the structuring effect of proofs by the use of lemmas is an important fea- 
ture for human comprehension of proofs. In our work we are motivated primarily 
by the first two of these three aspects. 

These considerations give rise to the crucial question: how can we find useful 
lemmas for proving a given problem? Here we mean useful in the sense of the two 
aforementioned aspects: lemmas should be applicable to the problem at hand, 
preferably many times. In full generality this is a difficult question indeed, which 
will require much further research. In this first step we restrict the question 
to a narrow range of problems, known in literature as condensed detachment 
(CD) problems [41]. Proofs of CD problems can be represented in a simple 
and accessible form as proof structure terms, enabling structure enumeration to 
enhance proof search and lemma maintenance, as well as feature extraction for 
learning. Our investigation thus focuses on the question of how ATP performance 
may be improved for CD problems by the generation and selection of useful 
lemmas before search begins. 

CD problems are of the form “axiom(s) and Det imply a goal” where Det rep- 
resents the well-known modus ponens rule, or condensed detachment. They have 
a single unary predicate. A typical application is the investigation of an axiom- 
atization of some propositional logic, whose connectives are then represented by 
function symbols. In order to support this study experimentally, we have built 
a combined system for dealing with these problems. It features SGCD [74] as 
prover and lemma generator along with a learning module based on either an 
easily-interpreted linear model over hand-engineered features, or a graph neural 
network supporting end-to-end learning directly from lemmas. 

Our work results in a number of inter-related particular contributions: 


1. Incorporation of proof structure terms into ATP with Machine Learning 
(ML). Consideration of features of the proof structure terms, explicitly in 
linear-model ML or implicitly in a neural ML model. A novel ATP/ML 
dataflow that is centered around proof structure terms. 

2. Experimentally validated general insights into the use of learned lemmas for 
provers of different paradigms, with different ways to incorporate lemmas, 
and based on two alternate ML models. At the same time pushing forward 
the state of the art on proving CD problems. Insights include: SGCD is com- 
petitive with leading first-order provers; Learned lemmas significantly extend 
the set of problems provable by the leading first-order prover Vampire; Provers 
without internal lemma maintenance, such as Connection Method (CM) [6-8] 
systems, are drastically improved; Vampire and SGCD are able to handle a 
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few hundreds of supplied lemmas; Learning based on manual features and on 
automatic feature extraction perform similarly. 

3. An automatic proof of the Meredith single axiom theorem LCLO73-1, which 
has persisted in the TPTP rated 1.00 since 1997. The first and only system 
to succeed was OTTER [39], after intensive massaging by Wos [84]. It was 
proven by SGCD in a novel systematic way. 

4. An implemented framework with the new techniques for generation, selection 
and application of lemmas. 


Structure of the Paper. Section2 presents condensed detachment and its 
embedding into the CM by way of so-called D-terms, as well as background 
material on lemmas and machine learning in ATP. Section 3 introduces a method 
for generating and selecting useful lemmas and presents experimental results with 
it, leading up to the proof of LCL073-1 in Sect. 4. We conclude with a summary 
and outlook for further work in this area in Sect. 5. 

Supplementary material is provided in the appendix of the preprint ver- 
sion [54]. All experiments are fully reproducible and the artifacts are avail- 
able at https:/ /github.com/zsoltzombori/lemma, commit df2faaa. We use CD 
Tools [74] and PIE [71,72], implemented in SWI-Prolog [77], for reasoning tasks 
and PyTorch [47] for learning. 


2 Background and Related Work 


In a very general sense, lemmas in ATP factorize duplication. This may be 
between different proofs that make use of the same lemma, or within a single 
proof where a lemma is used multiple times. It may not even be a particular 
formula that is shared, but a pattern, such as a resonator [81]. In the presence 
of machine learning, we may think of even more abstract entities that are fac- 
torized: the principles by which proofs are written, repeated in different proofs 
or contexts. 

Depending on the proving method, lemmas in ATP play different roles. 
Provers based on saturation, typically resolution/superposition (RS) systems [3], 
inherently operate by generating lemmas: a resolvent is itself a lemma derived 
from its parents. Nevertheless, one may ask for more meaningful lemmas than the 
clauses of the proof. This is addressed with cut introduction [14,20,78], which 
studies methods to obtain complex lemmas from resolution proofs. Such lem- 
mas provide insight about the high-level structure of proofs, extract interesting 
concepts and support research into the correspondence between natural mathe- 
matical notions and possible proof compressions. Other approaches to interesting 
theorems or lemmas are described for example in [52,65]. 

Another question concerning lemmas and ATP systems is whether perfor- 
mance can be improved by supplementing the input with lemmas. This is par- 
ticularly applicable if lemmas are obtained with methods that are different from 
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those of the prover. Otherwise, it may have obtained these by itself.! As we will 
see, leading ATP systems such as Vampire and E [59] can indeed be improved 
in this way. Different methods does not necessarily mean different systems: it is 
possible to use different configurations of the same system for lemma generation 
and proving, as well as for intermediate operations. This was the workflow used 
by Larry Wos to prove the challenge problem LCLO73-1 with OTTER [84]. Our 
SGCD system also supports this, which played a major role in its ability to prove 
the aforementioned challenge problem. 

Lemmas play a quite different role for a family of provers which we call 
CM-CT for Connection Method/Clausal Tableaux, exemplified by PTTP [61], 
SETHEO [33], and leanCoP [45,46]. Underlying conceptual models are model 
elimination [35], clausal tableaux [31] and the CM. They enumerate proof struc- 
tures while propagating variable bindings initialized by the goal through unifi- 
cation, and hence proceed in an inherently goal-driven way. While they are good 
at problems that benefit from goal direction, in general they are much weaker 
than RS provers and have not been among the top provers at CASC for about 
two decades. This is attributed to the fact that they do not re-use the proof of 
one subgoal as the solution of another: they do not use lemmas internally. 

The lack of lemmas was identified early as a weakness of CM-CT [15], so 
there have been various proposed remedies [2,15,17,19,32,45,60,62]. Despite 
some insight and success, this did not yet elevate CM-CT to the level of the 
best RS systems. Nevertheless, the expectation remains that CM-CT provers 
would benefit from supplying lemmas as additional input. Hence, we included 
two CM-CT systems in our experiments, leanCoP and CMProver [12,71,72] and 
show that the expectation is greatly confirmed. Two other systems considered 
here, SGCD and CCS [73], can be viewed as CM-CT systems extended to support 
specific forms of lemma generation and application. 

Lemmas can be maintained within the prover as an inherent part of the 
method, as in saturation. They may also be created and applied by different 
systems, or different instances of the same system [13,55]. Larry Wos calls this 
lemma adjunction [83]. Lemmas created by one system are passed to a second 
system in two principal ways. First, they can be passed as additional axioms, in 
the hope that the second system finds a shorter proof in the wider but shallower 
search space. Second, external lemmas can be used to replace search. The second 
system then starts with the given lemmas as if they were the cached result of 
its previous computation. Moreover, the provided lemmas can be restricted in 
advance by heuristic methods, such as by a machine-learned model. SGCD sup- 
ports this replacing lemma incorporation. The basic distinction between aug- 
menting and replacing search with lemmas was already observed by Owen L. 
Astrachan and Mark E. Stickel [2] in the context of improving CM-CT provers. 


! We note here that in some cases systems cannot generate certain lemmas because 
of e.g. ordering restrictions. 
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2.1 Machine Learning for ATP 


The past decade has seen numerous attempts to leverage machine learning in 
the automated theorem proving effort. Early systems mostly focused on premise 
selection, e.g. [1,68, 70], aiming to reduce the number of axioms supplied as input 
to the prover, or on selection of heuristics, e.g. [11]. Other works provide internal 
guidance directly at the level of inferences during search, e.g. [18,24,25,27, 34, 
53,85]. The emergence of generative language models has also led to some initial 
attempts at directly generating next proof steps, e.g. [48,49,67], moving the 
emphasis away from search. 

In contrast to these lines of work, our focus is on learning the utility of 
lemmas. Close to our aims is [26, 28], trying to identify globally useful lemmas in 
a collection of millions of proofs in HOL Light. Besides differences in the formal 
system, what distinguishes our work is that we learn a much more focused model: 
we put great emphasis on evaluating lemmas in the context of a particular goal 
and axiom set; in fact, our entire system was designed around the question 
whether a given lemma is moving the goal closer to the axioms. We argue that 
the D-term representation of all involved components (goal, lemma, axioms, 
proof) makes our framework particularly suitable for the lemma selection task. 

We employ an iterative improvement approach first used in MaLARea [68]: 
in each iteration, we run proof search guided by a learned model, extract training 
data from proving attempts, and fit a new model to the new data. These steps 
can be repeated profitably until performance saturates. 


2.2 Condensed Detachment: Proofs as Terms 


Condensed detachment (CD) was developed in the mid-1950s by Carew A. 
Meredith as an evolution of substitution and detachment [30,43,50,51]. Reason- 
ing steps are by detachment, or modus ponens, under implicit substitution by 
most general unifiers. Its primary application is the investigation of axiomatiza- 
tions of propositional logics at a first-order meta-level. CD also provides a tech- 
nical approach to the Curry-Howard correspondence, “formulas as types” [22, 23] 
and is considered in witness theory [57]. Many early successes in ATP were on 
CD problems [40,66], but success was also found in the reverse direction. Refine- 
ments of the OTTER prover in the 1990s, some of which have found their ways 
into modern RS provers, were originally conceived and explored in the setting 
of CD [16, 40,69, 79-82, 84]. 

From a first-order ATP perspective, a CD problem consists of axioms, i.e. 
positive unit clauses; a goal theorem, i.e. a single negative ground unit clause 
representing a universally-quantified atomic goal theorem after Skolemization; 
and the following ternary Horn clause that models detachment. 


Det 9€ P(i(z,y)) A P(x) — Ply). 


The premises of Det are called the major and minor premise, respectively. All 
atoms in the problem have the same predicate P, which is unary and stands for 
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something like provable. The formulas of the investigated propositional logic are 
expressed as terms, where the binary function symbol i stands for implies. 

CD may be seen as an inference rule. From an ATP perspective, a CD infer- 
ence step can be described as a hyperresolution from Det and two positive unit 
clauses to a third positive unit clause. A CD proof is a proof of a CD prob- 
lem constructed with the CD inference rule. CD proofs can be contrasted with 
other types of proof, such as a proof with binary resolution steps yielding non- 
unit clauses. Prover9 [38] chooses positive hyperresolution by default as its only 
inference rule for CD problems and thus produces CD proofs for these. 

It is, however, another aspect of CD that makes it of particular interest for 
developing new ATP methods, which only recently came to our attention in 
the ATP context [75]: the structure of CD proofs can be represented in a very 
simple and convenient way as full binary trees, or as terms. In ATP we find this 
aspect in the CM, where the proof structure as a whole is in focus, in contrast 
to extending a set of formulas by deduction [9]. This view of CD is made precise 
and elaborated upon in [76], on which the subsequent informal presentation is 
based. We call the structure representations of CD proofs D-terms. A D-term is a 
term recursively built from numeral constants and the binary function symbol D 
whose arguments are D-terms. In other words, it is a full binary tree where the 
leaf nodes are labeled with constants. Four examples of D-terms are 


1, 2, D(L1), D(D(2, 1), D(1, D(2, 1))). 


A D-term represents the structure of a proof. A proof in full is represented by 
a D-term together with a mapping of constant D-terms to axioms. Conversion 
between CD proofs and D-terms is straightforward: the use of an axiom corre- 
sponds to a constant D-term, while an inference step corresponds to a D-term 
D(d4, d2) where dı is the D-term that proves the major premise and d» the minor. 

Through first-order unification, constrained by axioms for the leaf nodes and 
the requirements of Det for inner nodes, it is possible to obtain a most general 
formula proven by a D-term [76]. We call it the most general theorem (MGT) of 
the D-term with respect to the axioms, unique up to renaming of variables. For 
a given axiom map, not all D-terms necessarily have an MGT: if unification fails, 
we say the D-term has no MGT. It is also possible that different D-terms have 
the same MGT, or that the MGT of one is subsumed by the MGT of another. 
A D-term is a proof of the problem if its MGT subsumes the goal theorem. 

As an example, let the constant D-term 1 be mapped to P(i(z,i(z,x))), 
known as Mingle [66]. Then, the MGT of the D-term 1 is just this axiom. The 
MGT of the D-term D(1,1) is P(i(z,i(z, z)),i(z, i(z, 2))), that is, after renam- 
ing of variables, P(y)o where c is the most general unifier of the set of pairs 
(PG, y)); PE, i(2^,27))) j, {P(a), PG (27, 27)))] J. 

D-terms, as full binary trees, facilitate characterizing and investigating struc- 
tural properties of proofs. While, for a variety of reasons, it is far from obvious 
how to measure the size of proofs obtained from ATP systems in general, for 
D-terms there are at least three straightforward size measures: 


— The tree size of a D-term is the number of its inner nodes. 


Lemmas: Generation, Selection, Application 159 


— The height of a D-term is the length of the longest root-leaf path. 
— The compacted size of a D-term is the number of distinct compound subterms, 
or, in other words, the number of inner nodes of its minimal DAG. 


Alternative names in the literature are length for compacted size, level for height 
and CDcount [69] for tree size. The D-term D(D(1, D(1, 1)), D(D(1, 1), 1)), for 
example, has tree size 5, compacted size 4 and height 3. Factor equations provide 
a compact way of writing D-terms: distinct subproofs with multiple incoming 
edges in the DAG receive numeric labels, by which they are referenced. The 
D-term D(D(1, 1), D(D(1, D(1, 1)), D(1, D(1, 1)))), for example, can be written as 
2 = D(1,1), 3 = D(1,2), 4 = D(2,D(3,3)). 

CD problems have core characteristics of first-order ATP problems: first-order 
variables, at least one binary function symbol and cyclic predicate dependency. 
But they are restricted: positive unit clauses, one negative ground clause, and 
one ternary Horn clause. Equality is not explicitly considered. The generalization 
of CD to arbitrary Horn problems is, however, not difficult [73]. 


2.3 Condensed Detachment for ATP and Lemmas 


From an ATP point of view, D-terms provide access to proofs as a whole. This 
exposes properties of proofs that are not merely local to an inference step, but 
spread across the whole proof. It suggests a shift in the role of the calculus 
from providing a recipe for building the structure towards an inductive structure 
specification. Moreover, D-terms as objects provide insight into all proofs: for 
example, growth rates of the number of binary trees for tree size, height and 
compacted size are well-known with entries in The On-Line Encyclopedia of 
Integer Sequences [44] and provide upper bounds for the number of proofs [76]. A 
practical consequence for ATP is the justification of proof structure enumeration 
techniques where each structure appears at most once. 

CD proofs suggest and allow for a specific form of lemmas, which we call 
unit or subtree lemmas, reflecting two views on them. As formulas, they are 
positive unit clauses, which can be re-used in different CD inference steps. In 
the structural view, they are subterms, or subtrees, of the overall D-term. If 
they occur multiply there, they are factored in the minimal DAG of the overall 
D-term. The views are linked in that the formula of a lemma is the MGT of 
its D-term. The compacted size measure specified above takes into account the 
compression achievable by unit/subtree lemmas. From the perspective of proof 
structure compression methods, unit/subtree lemmas have the property that 
the compression target is unique, because each tree is represented by a unique 
minimal DAG. CM-CT provers do not support such lemmas, which is the main 
reason for their notorious weakness on CD problems. 


2.4 SGCD—Structure Generating Theorem Proving 


SGCD (Structure Generating Theorem Proving for Condensed Detachment) [14] 
is the central system used in our experiments as prover as well as lemma genera- 
tor. It realizes an approach to first-order theorem proving combining techniques 


160 M. Rawson et al. 


known from the CM and RS that was not fully recognized before. It generalizes 
(for CD problems) bottom-up preprocessing for and with CM-CT provers [60] 
and hypertableaux [4]. SGCD works by enumeration of proof structures together 
with unification of associated formulas, which is also the core method of the CM- 
CT provers. Structures for which unification fails are excluded. Each structure 
appears at most once in the enumeration. 

Let the proof structures be D-terms. Partition the set of all D-terms according 
to some level such that those in a lower level are strict subterms of those in a 
higher level. Tree size or height are examples of such a level. Let 


enum dterm mgt pairs(--Level, ?D Term, ?Formula) 


be a Prolog? predicate enumerating D-terms and corresponding MGTs at a cer- 
tain level, with respect to given axioms that do not explicitly appear as param- 
eter. We say that the predicate generates these pairs in an axiom-driven way. 
If the predicate is invoked with the formula argument instantiated by a ground 
formula, it enumerates D-terms that prove the formula at the specified level. 
The predicate is then used goal-driven, like a CM-CT prover. Invoking it for 
increasing level values realizes iterative deepening. There are further instantia- 
tion possibilities: if only the D-term is instantiated and the level is that of the 
D-term, its MGT is computed. If both D-term and formula are instantiated, the 
predicate acts as verifier. 

The implementation includes several generators, concrete variants of the 
enum dterm mgt pairs predicate for specific level characterizations. SGCD 
maintains a cache of (level, D-term, formula) triples used to obtain solutions 
for subproblems in levels below the calling level. This cache is highly config- 
urable. In particular, the number of entries can be limited, where only the best 
triples according to specified criteria are kept. Typical criteria are height or size 
of the formula, a heuristic shared with RS provers. Subsumed entries can be 
deleted, another feature in common with RS. Novel criteria are also supported, 
some of which relate the formula to the goal. Most criteria are based on the 
formula component of the triples, the MGT. Due to rigid variables [21], MGTs 
are not usually available in CM-CT provers [76] and cannot be used as a basis 
for heuristics. 

When lemmas are provided to SGCD, they are used to initialize the cache, 
replacing search at levels lower than the calling level.? SGCD further maintains a 
set of abandoned (level, D-term, formula) triples, those that are generated but do 
not qualify for entering the cache or were removed from the cache. These are kept 
as a source for heuristic evaluation of other triples and for lemma generation. 

For theorem proving, SGCD proceeds as shown in Fig.1. Input parame- 
ter g is the goal formula, while parameters mazLevel and preAddMazLevel 
are configurable. enum, dterm mgt. pairs represents a particular generator that 
is also configurable. It enumerates argument bindings nondeterministically: if 
it succeeds in the inner loop, an exception returns the D-term d. C is the 


? Prolog serves here as a suitable specification language. 
3 Replacement can be subject to heuristic restrictions. 
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cache. The procedure merge_news_into_cache(N,C’) merges newly generated 
(level, D-term, formula) triples N into the cache C. If mazLevel is configured 
as 0, the method proceeds in purely goal-driven mode with the inner loop per- 
forming iterative deepening on the level m. Similarity to CM-CT provers can be 
shown empirically by comparing the sets of solved TPTP problems [74]. Gener- 
ally successful configurations of preAddMaxLevel typically have values 0-3. 


C :— (; 
for l := 0 to mazLevel do 
for m := l to l + preAddMazLevel do 
enum_dterm_mgt_pairs(m, d, g); 
throw proof_found(d) 
N := {(l,d, f) | enum dterm ngt. pairs(,d, f)}; 
if N = Í then throw exhausted; 
C :— merge. news, into cache(N, C) 


Fig. 1. The nested loops of the SGCD theorem proving method. 


3 Improving a Prover via Learned Lemma Selection 


We employ machine learning to identify lemmas that can enhance proof search. 
Unlike the standard supervised scenario in which we learn from some train- 
ing problems and evaluate performance on separate test problems, we take a 
reinforcement learning approach of self-improvement that has already been suc- 
cessfully applied in several theorem proving projects since [68]. In this approach, 
we perform proof search with a base prover on our entire problem set and learn 
from the proof attempts.^ The learning-assisted prover is evaluated again in the 
problem set to see if it can find more or different problems. If there is improve- 
ment, the process can be repeated until performance saturates. In a bit more 
detail, our system has the following components. 


1. Base Prover: Performs proof search and its main role is to provide training 
data to the utility model. 

2. Utility Model: The model takes (conjecture, lemma, axioms) triples and 
outputs a utility score, i.e., some measure of how useful the lemma is for 
proving the conjecture from the axioms. The utility model is trained from 
the D-terms emitted by the base prover. 

3. Lemma Generator: Produces a large set of candidate lemmas for each 
problem separately. All candidates are derivable from the axioms. 

4. Evaluated Prover: For each problem, we evaluate the candidate sets with 
the utility model and select the best ones. These lemmas are provided to 
the evaluated prover which performs proof search on the problem set. The 
evaluated prover can be identical to or different from the base prover. 


^ We currently only learn from successful proof attempts and sketch an extension to 
learning from failure. 
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Base Prover. Any prover that emits proofs as D-terms is suitable as a base 
prover. Given a D-term proof tree P of some formula C from axiom set As, any 
connected subgraph S of P can be considered as the proof of a lemma L. If S$ 
is a full tree, it proves a unit lemma, which is the formula associated with its 
root. Otherwise, it proves a Horn clause, whose head is the root formula of S 
and whose body corresponds to the open leaves of S. We currently focus on unit 
lemmas and leave more general subgraphs for future work. To approximate the 
utility of lemma L for proving C from As, there are several easy-to-compute 
logical candidates, such as the reduction in tree size, tree height or compressed 
size. A more refined measure is obtained if we reprove C with the lemma L 
added to the axioms As and observe how the number of inference steps changes.? 
'This is slower to compute, but takes into account the particularities of the base 
prover, hence provides more focused guidance. In our experiments, we find that 
the best performance is obtained by reproving and then computing utility U 
as the inference step reduction normalized into [-1,1], where —1 means that 
the problem could not be solved within the original inference limit and 1 is 
assigned to the lemma that yields the greatest speedup. We end up with tuples 
(C, As, L, U) to learn from. 


Utility Model Training. We experiment with gradient-descent optimization 
for two classes of functions: linear models and graph neural networks (GNNs). 
Our linear model is based on 51 manually-identified features, some of them 
novel, described in [54, App. A]. For each feature f; there is an associated weight 
parameter w; to produce the final predicted utility 


U(fiw) =} fiv; 


The second, more involved model is a GNN. Describing this model is beyond 
the scope of this paper: see e.g. [58] for a gentle introduction. What is crucial 
for our purposes is that no manual feature extraction is involved: a specialized 
neural network processes the D-terms of involved formulas directly and learns 
to extract useful features during optimization. As input, the model is given a 
graph, losslessly encoding D-terms of the lemma to be evaluated, the conjecture 
and the axioms. The precise network architecture is provided in [54, App. BJ. 


Candidate Lemma Generation. Candidate lemmas are generated sepa- 
rately for each problem via the structure enumeration mechanism of SGCD, 
as explained in Fig.1. The goal g is provided and preAddMazLevel is set to 0, 
making SGCD proceed axiom-driven, generating lemmas level by level. However, 
it does intersperse the goal-driven inner loop, which is only trying to prove the 
goal on the level directly above the last cached level. SGCD may terminate with 


5 The number of inferences is a measure provided by the Prolog engine and is not 
identical to the number of steps in the FOL calculus. 
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a proof, in which case further lemma generation is pointless. Otherwise it ter- 
minates after maxLevel is reached, generation of new levels is exhausted, or a 
time limit is reached. We then use the cache C and the abandoned triples as 
the generated output lemmas. Furthermore, there are many ways to configure 
SGCD. We obtained the best results generating by tree size and by PSP-level 
(explained below), combined with known good heuristic restrictions. In particu- 
lar we restrict the size of the lemma formulas to the maximum of the size of the 
axioms and the goal, multiplied by some factor (usually 2-5). We also restrict 
the number of elements in the cache, typically to 1,000. The lemmas are sorted 
by formula size measures, smaller preferred, to determine which are retained in 
the cache. 

Proof structure generation by PSP-level is a novel technique introduced in 
[74,76], based on an observation by Lukasiewicz and Meredith. In a detachment 
step, often the D-term that proves one premise is a subterm of the D-term that 
proves the other. We turn this relationship into a proof structure enumeration 
method: structures in level n 4- 1 are D-terms where one argument D-term is 
at level n and the other argument is a subterm of that D-term. The method is 
incomplete, but combines features of DAG enumeration while being compatible 
with a simple global lemma maintenance as realized with SGCD's cache [76]. 


Table 1. Features of the considered provers: whether their proofs are available as D- 
terms (possibly after some conversion), whether they were used with replacing lemma 
incorporation (Sect. 2), whether they operate goal-driven, and the underlying method. 


SGCD | Prover9 | CMProver | leanCoP | CCS-Vanilla | Vampire | E 
D-terms e e e = e — " 
Replacing lemmas e = = = e zs _ 
Goal-driven e/— = e e e = = 
CM-CT — — e e m = ES 
RS — P E = = e e 


Evaluated Prover. For each problem, we evaluate the candidate set with the 
utility model and select k lemmas with the highest predicted utility, where k is 
a hyperparameter. The evaluated prover then tries to solve the problems with 
the help of the selected lemmas. The lemmas can either be treated as additional 
axioms—applicable to any prover—or have a specialized treatment if the prover 
provides for it: in particular, SGCD and CCS-Vanilla use the lemmas to replace 
inner lemma enumeration.Ó The evaluated prover can be any prover, since there 
is no specialized requirement to handle lemmas as new axioms. If, however, it 


$ Before the obtained input lemmas are passed to a prover we supplement them with 
the lemmas for all their subproofs, i.e. we close the set of D-terms under the sub- 
term relationship. This proved beneficial in experiments (see, e.g., [54, App. DJ). An 
alternative would be to perform this closure on all generated lemmas before selection. 
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is the base prover—or any other system that emits proofs as D-terms, then the 
learning procedure can be iterated as long as there are new problems solved. 


3.1 Learning-Based Experiments 


We experiment with a total of 312 CD problems, including all 196 pure CD 
problems from TPTP 8.1.2 [64], enriched with single-axiom versions of all the 
problems to which a technique by Tarski [37], as specified by Rezus [56], was 
applicable. We test several representative ATP systems, including state-of-the- 
art systems for both general first-order reasoning and for CD problems. 

Table 1 gives an overview of the considered provers. CCS-Vanilla is CCS [73] in 
a restricted configuration to find only those CD proofs with minimal compacted 
size, identifying problems that can clearly be solved with exhaustive search. It 
operates goal-driven, like the CM-CT provers, but by enumerating DAGs instead 
of trees through a local lemma maintenance mechanism. Vampire and E represent 
the state of the art of first-order ATP. Provers that produce D-terms as proofs 
(SGCD, Prover9, CMProver, CCS) can serve as base provers. We always rely on 
SGCD for lemma candidate generation. All provers are recent public versions: 
Vampire 4.5.1, E 2.6, leanCoP 2.1. We provide results in terms of time limits, 
although for the Prolog provers SGCD, CMProver and CCS-Vanilla we used a 
roughly-equivalent inference limit to avoid fluctuations due to server workload. 


Improving the Base Prover. In our first experiment, we evaluate base provers 
after learning from their own proof attempts. The provers are given k = 200 best 
lemmas according to the linear utility model. Table 2’ shows problems solved 
by four base provers without lemmas (Base case) and with two iterations of 
learning. The Total row gives the number of theorems proved by any of the 
three iterations shown. The stronger the base model, the harder it is to improve. 
CMProver and CCS-Vanilla are purely goal-driven and benefit greatly, reaching 
over 37% improvement for larger time limits. SGCD and Prover9 improve over 
5% for shorter time limits, but this effect gradually vanishes as the time limit is 
increased. 


Table 2. Number of problems solved over 2 iterations of training a linear model. 


SGCD Prover9 CMProver CCS-Vanilla 


Time 50s 100s| 500s | 30m] 50s/ 100s | 500s| 30m | 50s 100s | 500s 30m 50s 100s 500s | 30m 


Base |266| 275 | 285 | 285 | 240 252 | 259 | 262 | 82 85 94 | 103 81, 88 99 | 105 
Iter 1, 280| 282 | 284 | 281 |250| 254 | 262 | 257 | 83 93 | 105 | 121 | 96 101 | 117 | 130 
Iter 2 |281| 283 | 281 | 283 | 247 | 247 | 267 | 265 | 79 | 98 95 | 126 96) 97 | 120 | 128 
Total | 282) 284 | 286 | 286 | 253, 258 | 269 | 267 | 91 | 105 | 112 | 141 |106 105 | 133 | 145 


An analysis, provided in [54, App. D], reveals that in the proofs not found 
during lemma generation and found by SGCD after the provision of lemmas, 


T Further visualizations of our experiments are provided in [54, App. C]. 
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63-96% of the distinct subterms originate from the lemmas, i.e., a substantial 
portion of the proofs are built up from the provided lemmas. 


Learned Lemmas to Enhance Other Provers. Next, we fix SGCD as base 
prover and evaluate other provers, namely Vampire, E, Prover9 and leanCoP. 
Again, the provers are given k = 200 best lemmas according to the linear utility 
model. Table3 shows the greatest boost is for the purely goal-driven leanCoP, 
where there is over 40% improvement for all time limits. Second is Vampire with 
8-15% improvement, followed by Prover9 and E with around 3% improvement. 
Interestingly, E does not solve more problems with the lemmas, but it solves 
different ones, hence the improvement. These results suggest a great deal of 
transferability of the benefits of the lemma selector. 


Table 3. Number of problems solved by Vampire (casc), E (autoschedule), Prover9 and 
leanCoP without and with additional lemmas using various time limits. 


| Vampire E | Prover9 leanCoP 
Time [50s 100s | 500s | 30m | 50s | 100s | 500s 30m | 50s | 100s 500s | 30m | 50s | 100s | 500s | 30m 


Base 221 | 224 | 252 | 263 | 253 | 264 | 275 | 281 |236| 244 | 257 | 260 | 70| 71 TT 77 
Lemmas | 249 | 257 | 274 | 283 | 256| 266 | 275 | 275 | 246| 250 | 261 | 269 | 100 | 103 | 111 | 113 
Total | 249 | 257 | 276 | 284 | 269| 276 | 287 | 286 | 248 | 252 | 264 | 269 | 100| 103 | 111 | 113 


Changing the Number of Lemmas Added. Adding lemmas has potential 
to shorten proofs, but it also widens the search space, so it is not obvious how 
many lemmas are beneficial. In the next experiment, we again fix SGCD as base 
prover and evaluate SGCD and Vampire with different number of lemmas selected. 
Table 4 shows that as little as 25 added lemmas yield substantial improvement, 
7% for Vampire and 4% for SGCD, and performance does not drop as we add 
more lemmas: even at 500 we see no negative effect of the expanded search space. 


Table 4. Number of problems solved by Vampire (casc) and SGCD as we alter the 
number k of supplemented lemmas. We use a time limit of 100s. 


Vampire SGCD 
Lemma count} 10} 25] 50 100 200,500, 10| 25| 50 100 |200 | 500 
Base 227 | 227 | 227 | 227 | 227 | 227 | 275 | 275 | 275 | 275 | 275 | 275 
Lemmas 226 | 242 | 246 | 258 257 | 258 | 278 | 285 | 284 | 281 | 283 | 284 
Total 231 | 243 | 247 | 258 257 | 258 | 282 | 285 | 284 | 283 | 284 | 285 
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Linear vs GNN Model. The preceding experiments suggest that even a simple 
linear model can provide useful guidance when features are carefully selected. 
Table 5 shows that the GNN—which processes the formulas directly and has 
no access to expert designed features—also successfully learns to identify useful 
lemmas for SGCD and even slightly surpasses the linear model. LCL125-1 can 
only be solved by the GNN-assisted prover, even at extremely large time limits. 


Table 5. Number of problems solved by SGCD over 2 iterations of training both a 
linear and a graph neural network model, for time limits 50s, 100s, 500s and 30 min. 


Linear GNN 

Time | 50s | 100s | 500s 30m | 50s | 100s 500s | 30m 
Base 266 | 275 | 285 | 285 266| 275 | 285 | 285 
Iter 1 280) 282 | 284 | 281.272, 282 283 | 284 
Iter 2 281) 283 | 281 | 283 | 279 | 282 282 | 284 
Total | 282 | 284 | 286 | 286 | 279 | 285 | 287 | 287 


3.2 Discussion of Learning-Based Experiments 


When enhanced by learning-based lemma selection, SGCD solves 287 of the 312 
problems. These include 28 problems not solved by the leading first-order prover 
Vampire [29], which solves 263 problems in its CASC [63] portfolio mode. Supple- 
mented with our lemmas, Vampire is boosted to 284 solved problems. In combina- 
tion, boosted SGCD and Vampire give 293 solved problems. Taking into account 
the solutions obtained by further provers with our lemmas, we obtain a total of 
297. For detailed results see [54, App. E] and http://cs.christophwernhard.com/ 
cdtools /exp-lemmas/lemmas.html. 

A notable observation is that all systems—with the exception of E—improve 
when provided with selected lemmas. We argue that our framework addresses 
fundamental weaknesses of both purely goal-driven systems such as CMProver, 
leanCoP and CCS-Vanilla, as well as those of saturation style systems such as 
Vampire and E. For the former, it is their inability to generate lemmas, which 
results in unduly long proofs. For the latter, it is their unrestricted expansion 
of the branching of the search space. We find that goal-driven systems demon- 
strate huge improvement when lemmas are added: usually 20-4096 depending on 
the configuration. The improvement is much more modest for saturation style 
systems, partly because their baselines are already stronger and partly because 
learned lemma selection still has a large room for improvement. This is the focus 
of our immediate future work. SGCD already provides a balance between goal- 
driven search and axiom-driven lemma generation and we only see significant 
improvement from lemmas when the time limit on proof search is smaller. Our 
manual feature-based linear model allows for exploiting expert knowledge. How- 
ever, we see more potential in automated feature extraction via GNNs. The fact 


Lemmas: Generation, Selection, Application 167 


that the two models perform similarly suggests that we are not providing enough 
training data for the GNN to manifest its full capabilities. 


4 Proving LCL073-1 


LCLO73-1 was proven by Meredith in the early 1950s with substitution and 
detachment [42] but it remains outstandingly hard for ATP, where it came to 
attention in 1992 [40]; TPTP reports rating 1.0 and status Unknown since 1997. 
Only Wos proved it in the year 2000 with several invocations of OTTER [84], 
transferring output and insight between runs. The problem has a single axiom, 


PiiCi(i(ia, y), (nz), n(u))), 2), v), iw, x), i(u, x)))), 


and the goal P(i(i(a, b), i(i(b, c), i(a, c)))), known as Syll [66]. The wider context 
is showing that a single axiom entails the elements of a known axiomatization of 
a propositional logic. Experiments with SGCD in our workflow led to a proof of 
LCLO73-1 (Fig. 2, also [54, App. F]) surprisingly quickly. Its compacted size is 46, 
between that of Meredith (40, reconstructed with CD in [84]) and that of Wos 
(74). Our workflow is much simpler than Wos’, basically the same as our other 
experiments but restricted to one phase of lemma generation and incorporation, 
with only heuristic lemma selection, no learning. Nevertheless, success is fragile 
with respect to configuration, where reasons for failure or success are not obvious. 


2 = D(1,D(1, D(1, 1))), 3 = D(2, 2), 4 = D(1,3), 5 = D(1, 4), 6 = D(5, 1), 7 = D(5, 6), 

8 = D(D(D(1, D(1, 7)), 6), 1), 9 = D(8, 6), 10 = D(8, D(1,9)), 11 = D(D(1, D(1, D(4, 10))), 1), 

12 = D(1, D(6, DG, D(D(1, D(9, D(9, D(D(11, 3), 4)))), 1)))), 13 = D(D(D(12, D(5, D(8, 12))), 1), 7), 
1 


14 = D(1, D(13, D(1, D(13, 5)))), 15 = D(D(1, D(13, D(D(D(D(13, 6), 9), 11), 10))), D(14, D(14, 1))) 


Fig. 2. The D-term of our proof of LCL073-1 represented by factor equations. 


Our configuration parameters are not problem specific, although we started 
out with lemma generation by PSP-level because it led earlier to a short proof of 
LCLO38-1 [74,76]. We first call SGCD to generate lemmas by PSP-level enumera- 
tion, configured with a cache size of 5,000, terminating after 60s with exhaustion 
of the search space. Lemma features are computed for the 98,198 generated 
lemmas and written to disk, taking another 120s. Lemmas are then ordered 
lexicographically according to five features relating to sharing of symbols and 
subterms with the goal, and to formula dimensions, taking a further 70s. These 
five features are 1f h height, lf h excluded. goal subterms, lf h tsize, 
1f h distinct vars, dcterm hash, see [54, App. A] for their specification. We 
now call SGCD again, configured such that it performs PSP-level enumeration 
for axiom-driven phases, interleaved with level enumeration by height for goal- 
driven phases with 0 as preAddMazLevel. It incorporates the first 2,900 ordered 


8 Notebook hardware, Intel® Core™ i7-1260P processor, 33 GB RAM. 
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lemmas? 


as input by replacement (Sect. 2). The cache size limit is set to 1,500, 
a value used in other generally successful configurations. Formulas occurring as 
subformulas of an earlier-proven formula are excluded, a variation of the organic 
property [37,76]. The proof is then found in 20s, total time elapsed about 270s. 

The D-term dimensions (compacted size, tree size, height) are (46, 3276, 40), 
compared to Meredith’s (40,6172,30)!? and Wos’ (74,9207, 48). The maximal 
size (occurrences of non-constant function symbols) of a lemma formula (MGT of 
a subproof) in the proof is 19, the maximal height (tree height, disregarding the 
predicate symbol) 9, and the maximal number of variables 7. Of the 46 lemmas 
in the proof 12 are present in the 2,900 input lemmas. Among the 46 lemma for- 
mulas 35 are weakly organic [76] and 4 involve double negation. N-simplification 
[76] applies to 65 occurrences but does not effect a size reduction. The proof 
is S- and C-regular [76]. Certain configurations of SGCD for the proving phase 
also yield further proofs. In experiments so far, these are enumerated after the 
presented proof and have larger compacted size. 

Proof structure enumeration by PSP-level [76] is the main key to finding 
our proof of LCLO73-1. It is used for lemma generation and for axiom-driven 
proof search, whereas goal-driven phases use height instead. The structure of 
the proof reflects this: all steps with the exception of the root can be considered 
PSP steps, i.e. one premise is a subproof of the other. The particular challenge 
of the problem lies in the fact that it was solved by a human (Meredith). Unlike 
in recent ATP successes for Boolos’ curious inference [5, 10], where the key is two 
particular second-order lemmas, the key here is a proof-structural principle for 
building-up proofs by lemmas. Intuitively it might express a form of economy, 
building proofs from proofs at hand, that belonged to Meredith’s repertoire. 


5 Conclusion 


We presented encouraging results about the use of lemmas in proof search. 
Provers are provided with lemmas generated via structure enumeration, a feature 
of the CM, and filtered with either learned guidance or manual heuristics. As a 
first step with this new methodology, we focus on the class of CD problems where 
we obtained strong results with our own system and substantial improvement of 
general first-order provers based on different paradigms, including the long-time 
competition leader Vampire. Moreover, our approach has led to the—in a sense 
first—automatic proof for the well-known Meredith single axiom problem with 
TPTP difficulty rating 1.0. 

An important and novel aspect in our work was the explicit consideration of 
proof structures, which for CD have a particularly simple form in D-terms. Proof 
structures of the CM have a direct correspondence to these [76], such that the 


? 2,900 is one of the fragile parameters. Depending on features chosen for ordering 
lemmas, there are ranges around 3,000 where the problem is solved. 

10 The length reported in [84] is the compacted size if also the proofs of the two other 
goals required to prove completeness of the single axiom are considered. The notion 
of compacted size straightforwardly generalizes from trees to sets of trees [76]. 
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CM may guide the way to generalizations for more expressive logics. Another 
course of generalization is to move from unit lemmas, i.e. sharing of subtrees of 
D-terms, to more powerful lemmas. Preliminary work shows a correspondence 
between Horn clause lemmas, D-terms with variables, proofs in the connection 
structure calculus [15], and combinatory compression [73]. 

The learning-based experiments show little difference in performance between 
using a simple linear model and a more sophisticated graph neural network. We 
believe this is due to the small problem corpus, which yields a limited training 
signal. Hence, we plan to scale the system up to larger problem sets. 

Our work also sheds new light on perspectives for the CM. It is well-known 
that the lack of inherent lemma maintenance is a disadvantage of the CM com- 
pared to resolution, which can be overcome with the connection structure cal- 
culus [15], a generalization of the CM. Here we see in experiments a drastic 
improvement of the CM-CT provers by supplementing their input with exter- 
nally generated lemmas. SGCD, which grew out of the CM-CT approach and 
integrates repeated lemma generation into the proving process, keeps up with 
RS provers on CD problems, and can even be applied to improve these by sup- 
plying its lemmas as additional input. 
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Abstract. We introduce a machine-learning-based tool for the Lean 
proof assistant that suggests relevant premises for theorems being proved 
by a user. The design principles for the tool are (1) tight integration with 
the proof assistant, (2) ease of use and installation, (3) a lightweight and 
fast approach. For this purpose, we designed a custom version of the ran- 
dom forest model, trained in an online fashion. It is implemented directly 
in Lean, which was possible thanks to the rich and efficient metaprogram- 
ming features of Lean 4. T'he random forest is trained on data extracted 
from mathlib — Lean's mathematics library. We experiment with various 
options for producing training features and labels. The advice from a 
trained model is accessible to the user via the suggest. premises tactic 
which can be called in an editor while constructing a proof interactively. 


Keywords: premise selection - machine learning - Lean proof assistant 


1 Introduction 


Formalizing mathematics in proof assistants is an ambitious and hard under- 
taking. One of the major challenges in constructing formal proofs of theorems 
depending on multiple other results is the prerequisite of having a good familiar- 
ity with the structure and contents of the library. Tools for helping users search 
through formal libraries are currently limited. 

In the case of the Lean proof assistant [13], users may look for relevant lemmas 
in its formal library, mathlib [5], either by (1) using general textual search tools 
and keywords, (2) browsing the related source files manually, (3) using mathlib's 
suggest Or library. search tactics. 

Approaches (1) and (2) are often slow and tedious. The limitation of approach 
(3) is the fact that suggest or library. search propose lemmas that strictly match 
the goal at the current proof state. This is often very useful, but it also means 
that these tactics often fail to direct the user to relevant lemmas that do not 
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match the current goal exactly. They may also suggest too many trivial lemmas 
if the goal is simple. 

The aim of this project is to make progress towards improving the situation 
of a Lean user looking for relevant lemmas while building proofs. We develop a 
new tool that efficiently computes a ranking of potentially useful lemmas selected 
by a machine learning (ML) model trained on data extracted from mathlib. This 
ranking can be accessed and used interactively via the suggest_premises tactic. 

The project described here belongs to the already quite broad body of work 
dealing with the problem of fact selection for theorem proving [1,7,9,11,12,15, 
16]. This problem, commonly referred to as the premise selection problem, is 
crucial when performing automated reasoning in large formal libraries — both 
in the context of automated (ATP) and interactive (ITP) theorem proving, and 
regardless of the underlying logical calculus. Most of the existing work on premise 
selection focuses on the ATP context. Our main contribution is the development 
of a premise selection tool that is practically usable in a proof assistant (Lean 
in that case), tightly integrated with it, lightweight, extendable, and equipped 
with a convenient interface. The tool is available in a public GitHub repository: 
https: //github.com/BartoszPiotrowski/lean-premise-selection. 


2 Dataset Collection 


A crucial requirement of a useful ML model is a high-quality dataset of training 
examples. It should represent the learning task well and be suitable for the ML 
architecture being applied. 

In this work, we use simple ML architectures that cannot process raw theorem 
statements and require featurization as a preprocessing step. The features need 
to be meaningful yet simple so that the model can use them appropriately. 
Our approach is described in Sect. 2.1. The notion of relevant premise may be 
understood differently depending on the context. In Sect.2.2, we describe the 
different specifications of this notion that we used in our experiments. 

The tool developed in this work is implemented and meant to be used in 
Lean 4 together with mathlib 4. However, since, at the time of writing, Lean 4’s 
version of the library is still being ported from Lean 3, we use mathlib3port! as 
our main data source. 


2.1 Features 


The features, similar to those used in [8,15], consist of the symbols used in the 
theorem statement with different degrees of structure. In particular, three types 
of features are used: names, bigrams and trigrams. 

As an illustration, take this theorem about groups with zero: 


theorem div ne zero (ha : a #0) (hb: b Z0) :a/b z0:-.. 
This statement comes from one of the source files of mathlib. When producing 


the features for it, we do not use it directly as printed above but rather we take 


! https:/ /github.com/leanprover-community /mathlib3port (commit f4e5dfe). 
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its elaborated counterpart — a much more detailed version where all the hidden 
assumptions are made explicit by the Lean’s elaborator so that the expression 
precisely conforms to Lean’s dependent type theory. 

The most basic form of featurization is the bag-of-words model, where we 
simply collect all the names (and numerical constants) involved in the theorem. 

Following this definition, we obtain names Z , 0, and /, which are visible in the 
source version of the statement,? plus many more hidden names only appearing 
in the elaborated expression, e.g., OfNat.ofNat that is related to interpreting 
numerical literals as natural numbers. 

During the featurization we distinguish features coming from the conclu- 
sion and the hypotheses (assumptions) of the theorem, and we mark them by 
prepending either T or H, respectively. 

For our running example of theorem div. ne. zero, all this results in the list 
of names that looks as follows: 


H:0fNat.ofNat H:MonoidWithZero.toZero H:0 H:Ne T:HDiv.hDiv T:O T:Ne ... 


It would be desirable, however, to keep track of which symbols appear next 
to each other in the syntactic trees of the theorem hypotheses and its statement. 
Thus, we extract bigrams that are formed by the head symbol and each of its 
arguments (separated by / below). 


H:Ne/OfNat.ofNat H:0fNat.ofNat/O T:OfNat.ofNat/O T:Ne/OfNat.ofNat ... 


Similarly, we also consider trigrams, taking all paths of length 3 from the 
syntactic tree of the expression. 


H:Ne/OfNat.ofNat/O H:Ne/OfNat.ofNat/Zero.toO0fNatO ... 


2.2 Relevant Premises 


'To obtain the list of all the premises used in a proof of a given theorem it suffices 
to traverse the theorem's proof term? and keep track of all the constants whose 
type is a proposition. For instance, the raw list of premises that appear in the 
proof of div. ne, zero is: 


GroupWithZero.noZeroDivisors 
div. eq mul. inv 

mul. ne zero 

inv. ne zero 

Eq.refl 


For more complicated examples, this approach results in a large number of 
premises including lemmas used implicitly by tactics (for instance, those picked 
by the ‘simplify’ tactic simp), or simple facts that a user would rarely write 


? In fact, we use translations of these symbols from the elaborated counterpart of the 
theorem; so, for instance, we use Ne instead of the notation Æ, etc. 

3 A proof term is an internal Lean expression whose type is the theorem, constructed 
based on the proof written by a user, possibly using tactics. 
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Table 1. Filters’ statistics. An example is a theorem with a non-empty list of premises. 
Because applying the source or math filter may result in an empty set of premises, the 
numbers of obtained training examples differ across the filters. 


all source | math 
Total premises 96 915 | 28 784 | 67 462 
Total examples 41755 | 20571 | 40187 
Premises per example | 3.12 | 2.35 2.09 


explicitly. Three different filters are applied to mitigate this issue: all, source, 
and math. They are described below and their overall effect is shown in Table 1. 


1. The all filter preserves almost all premises from the original, raw list, remov- 
ing those that were generated automatically by Lean. They contain a leading 
underscore in their names, e.g., RingTheory.MatrixAlgebra._auxLemma.1. In 
our example, there are no such premises. Examples from this filter are not 
appropriate for training an ML advisor for interactive use as the suggestions 
would contain many lemmas used implicitly by tactics. Yet, such an advisor 
could be used for automated ITP approaches such as hammers [3]. 

2. The source filter leaves only those premises that appear in the proof’s source 
code. The idea is to model the explicit usage of premises by a user. Following 
our example, we would take the following proof as a string and list only the 
three premises appearing there: 


by rw [div_eq_mul_inv]; exact mul_ne_zero ha (inv_ne_zero hb) 


3. The math filter preserves only lemmas that are clearly of mathematical nature, 
discarding basic, technical ones. The names of all theorems and definitions 
from mathlib are extracted and used as a white list. In particular, this means 
that many basic lemmas from Lean’s core library (e.g. Eq.ref1 from our exam- 
ple) are filtered out. 


In addition to our base datasets containing one data point per theorem, we 
also created a dataset (labeled as intermediate) representing intermediate proof 
states. In the standard data sets we recorded features of an initial proof state (the 
hypotheses and the conclusion of the theorem to be proved) and the premises 
used in a full proof. In the intermediate data set we instead record features of 
a proof state encountered during constructing a proof, and premises used in the 
next proof step only. 

To this end, we used LeanInk,* a helper tool for Alectryon [17] — a toolkit that 
aids exploration of tactical proof scripts without running the proof assistant. 
Given a Lean file, Leanlnk generates all the states that a user might be able 
to see in the infoview (a panel in Lean that displays goal states and other 
information about the prover's state) by clicking on the file. The file is split 


^ https: //github.com/leanprover /LeanInk. 
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into fragments, each containing a string of Lean code, represented by a list of 
tokens, together with the proof states before and after. In this way, the file can 
be loaded statically simulating the effect of running Lean. Furthermore, it can be 
configured to keep track of typing information, which is key to detecting which 
tokens are premises. We modified LeanInk so that every fragment that appears 
inside a proof is treated as its own theorem by our extractor. We gather all the 
premises found in the list of tokens and featurize the hypotheses and goals in 
the “before” proof state. 

This dataset consists of 91 292 examples and 143 165 premises, which gives an 
average of around 1.57 premises per example. It represents a more fine-grained 
use of the premises, which does not exactly correspond to our main objective of 
providing rankings of premises on the level of theorem statements. We treat it 
as an auxiliary dataset potentially useful for augmenting our base data sets. 


3 Machine Learning Models 


The task modelled here with ML is predicting a ranking of likely useful premises 
(lemmas and theorems) conditioned by the features of the statement of a theorem 
being proved by a user. The nature of this problem is different than common 
applications of classical ML: both the number of features and labels (premises) to 
predict is large, and the training examples are sparse in the feature space. Thus, 
we could not directly rely on traditional implementations of ML algorithms, and 
using custom-built versions was necessary. As one of our design requirements was 
tight integration with the proof assistant, we implemented the ML algorithms 
directly in Lean 4, without needing to call external tools. This also served as a 
test for the maturity and efficiency of Lean 4 as a programming language. 

In Sects.3.1 and 3.2 we describe two machine learning algorithms imple- 
mented in this work: k-nearest neighbours (k-NN) and random forest. 


3.1 k-Nearest Neighbours 


This is a classical and conceptually simple ML algorithm [6], which has already 
been used multiple times for premise selection [2,9,10]. It belongs to the lazy 
learning category, meaning that it does not result in a prediction model trained 
beforehand on the dataset, but rather the dataset is an input to the algorithm 
while producing the predictions. 

Given an unlabeled example, k-NN produces a prediction by extracting the 
labels of the k most similar examples in the dataset and returning an averaged 
(or most frequent) label. In our case, the labels are lists of premises. We com- 
pose multiple labels into a ranking of premises according to the frequency of 
appearance in the concatenated labels. 

The similarity measure in the feature space calculates how many features 
are shared between the two data points, but additionally puts more weight on 
those features that are rarer in the whole training dataset D. The formula for 
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the similarity of the two examples x; and x2 associated with sets of features fi 
and f2, respectively, is given below. 


—— Lente) Sige 2 
deas ren C) + Dye HA) E jenar tU HA) = 10% (i) | 


where Dy are those training examples that contain the feature f. 

The advantages of k-NN are its simplicity and the lack of training. A disad- 
vantage, however, is the need to traverse the whole training dataset in order to 
produce a single prediction (a ranking). This may be slow, and thus not optimal 
for interactive usage in proof assistants. 


3.2 Random Forest 


As an alternative to k-NN, we use random forest [4] - an ML algorithm from the 
eager learning category, with a separate training phase resulting in a prediction 
model consisting of a collection of decision trees. The leaves of the trees contain 
labels, and their nodes contain decision rules based on the features. In our case, 
the labels are sets of premises, and the rules are simple tests that check if a given 
feature appears in an example. 

When predicting, unlabeled examples are passed down the trees to the leaves, 
the reached labels are recorded, and the final prediction is averaged across the 
trees via voting. The trees are trained in such a way as to avoid correlations 
between them, and the averaged prediction from them is of better quality than 
the prediction from a single tree. 

Our version of random forest, adapted to deal with sparse binary features 
and a large number of labels, is similar to the one used in [19], where the task 
was to predict the next tactic progressing a proof in Coq proof assistant. There, 
the features were also sparse, however, the difference is that here we need to 
predict sets of labels (premises), not just one label (the next tactic). 

Our random forest is trained in an online manner, i.e., it is updated sequen- 
tially with single training examples — not with the entire training dataset at 
once, as is typically done. The rationale for this is to make it easy to update 
the model with data coming from new theorems proved by a user. This allows 
the model to immediately provide suggestions taking into account these recently 
added theorems.? 

Algorithm 1 provides a sketch of how a training example updates a tree — for 
all the details see the actual implementation in our public GitHub repository.? 
A crucial part of the algorithm is the MAKESPLITRULE function creating node 
splitting rules. Searching for the rules resulting in optimal splits would be costly, 
thus this function relies on heuristics. 

Figure 1 schematically depicts how a simple decision tree from a trained ran- 
dom forest predicts a set of premises for an input example. 


5 This mode, however, has not yet been tested in the current stage of this work. 
ê The decision tree implementation is in a file PremiseSelection/Tree.lean. 
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Output 

EO ETD- 

Fig. 1. A schematic example of a decision tree from a trained random forest. Lowercase 
letters (a, b, c, ...) designate features of theorem statements, whereas uppercase letters 
(P, Q, R, ...) designate names of premises. The input (a featurized theorem statement) 
is being passed down the tree (along the green arrows) so that each node tests for a 
presence of a single feature, and passes the input example to the left (or right) sub-tree 
in the negative (or positive) case. The output is a set of premises in the reached leaf. 
(Color figure online) 


Algorithm 1. Updating a tree with a training example in a random forest. 
1: function ADDEXAMPLETOTREE(T, e) > T — tree to update, e — training example 


2: match T with 

3: Node(R, Th, T): > R — binary rule, Ti, T, — left and right subtrees 

4: match R(e) with > passing example e down the tree to a leaf 

5: Left: return Node(R, ADDEXAMPLETOTREE(T}, e), Te) 

6 Right: return Node(R, Ti, ADDEXAMPLETOTREE(T,;, e)) 

7 Leaf( E): > E — examples stored in the leaf 

8: E — APPEND(E, e) 

9: if SPLITCoNDITION(E) then > testing if the leaf should be split 
10: R — MAKESPLITRULE(E) > making semi-optimized new split rule 
11: Ei, E, — Spuit(R, E) > splitting examples into two parts 
12: return Node(R, Leaf(E;), Leaf(E.)) > new subtree growing the tree 
13: else 
14: return Leaf(E) > the original leaf augmented with example e 


4 Evaluation Setup and Results 


To assess the performance of the ML algorithms, the data points extracted from 
mathlib were split into training and testing sets. The testing examples come from 
the modules that are not dependencies of any other modules (there are 592 of 
them). This simulates a realistic scenario in which a user utilizing the suggestion 
tool develops a new mathlib module. The rest of the modules (2436) served as 
the source of training examples. 

Two measures of the quality of the rankings produced by ML are defined: 
Cover and Cover,. Assuming a theorem T depends on the set of premises P of 
size n, and R is the ranking of premises predicted by the ML advisor for T', these 
measures are defined as follows: 
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j= Parna. Cover, (T) = PRAT ION. 


Cover(T 
n n 


where R[:k] is a set of k initial premises from ranking R. Both Cover and 
Cover, return values in [0,1]. Cover gives the score of 1 only for a “perfect” 
prediction where the premises actually used in the proof form an initial segment 
of the ranking. Cover, may also give a perfect score to less precise predictions. 
The rationale for Cover, is that the user in practice may look through 10 or 
more suggested premises. This is often more than the n premises actually used 
in the proof, so we consider initial segments of length n + 10 in Cover +. 

Both k-NN and random forest are evaluated on data subject to all three 
premise filters described in Sect. 2.2. For each of these variants of data, three 
combinations of features are tested: (1) names only, (2) names and bigrams, (3) 
names, bigrams, and trigrams. The hyper-parameters for the ML algorithms 
were selected by an experiment on a smaller dataset. For k-NN, the number 
of neighbours was fixed to 100. For random forest, the number of trees was 
set to 300, each example was used for training a particular decision tree with 
probability equal to 0.3, and the training algorithm passed through the whole 
training data 3 times. 

Table2 shows the results of the experiment. In terms of the Cover metric, 
random forest performed better than k-NN for all data configurations. However, 
for Cover, metric, k-NN surpassed random forest for the math filter. 

It turned out that the union of names and bigrams constitutes the best 
features for all the filters and both ML algorithms. It likely means that the more 
complex trigrams did not help the algorithms to generalize well but rather 
caused over-fitting on the training set. 

'The results for the a11 filter appear to be much higher than for the other two 
filters. However, this is because applying all results in many simple examples 
containing just a few common, basic premises (e.g., just a single rfl lemma). 
'They increase the average score. 

Overall, random forest with names + bigrams (ntb) features gives the best 
results. An additional practical advantage of this model over k-NN is the speed 
of outputting predictions. For instance, for the source filter and n+b features, 
the average times of predicting a ranking of premises per theorem were 0.28s 
and 5.65s for random forest and k-NN, respectively. 

Additionally, we evaluated the ML models on the intermediate dataset, 
using n-*b features. The random forest achieved Cover = 0.09 and Cover. = 0.24, 
whereas k-NN resulted in Cover = 0.08 and Cover, = 0.21 on the testing part of 
the data. Then, we used the intermediate dataset in an attempt to improve the 
testing results on the base dataset with the source filter (as intermediate only 
contains premises exposed in the source files). We used the intermediate data 
as a pre-training dataset, first training a random forest on it, and later on the 
base data. We also used intermediate to augment the base data, mixing the two 
together. However, neither in the pre-training, nor in the augmentation mode 
statistically significant improvements in the testing performance were achieved. 
It is possible that the prediction quality from the practical perspective actually 
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Table 2. Average performance of random forest and k-NN on testing data, for three 
premises filters and three kinds of features. The type of features is indicated by a one- 
letter abbreviation: n = names, b = bigrams, t = trigrams. For each configuration, 
Cover and Cover+ measures are reported (the latter in brackets). In each row, the best 
Cover result is bolded. 


premises | machine learning model 

random forest k-nearest neighbours 

n n+b n+b+t n n+b n+b+t 
all 0.56 (0.67) | 0.57 (0.67) | 0.47 (0.58) | 0.51 (0.65) | 0.52 (0.66) | 0.51 (0.62) 
source 0.28 (0.36) | 0.29 (0.36) | 0.28 (0.36) | 0.25 (0.35) | 0.25 (0.36) | 0.26 (0.35) 
math 0.25 (0.32) | 0.26 (0.33) | 0.16 (0.24) | 0.22 (0.34) | 0.23 (0.34) | 0.16 (0.26) 


improved, being more proof-state-dependent and not only theorem-dependent, 
but it did not manifest in our theorem-dependent evaluation. 

'The evaluation may be reproduced by following the instructions in the linked 
source code.” 


5 Interactive Tool 


'The ML predictor is wrapped in an interactive tactic suggest. premises that users 
can type into their proof script. It will invoke the predictor and produce a list of 
suggestions. This list is displayed in the infoview. The display makes use of the 
new remote-procedure-call (RPC) feature in Lean 4 [14], to then asynchronously 
run various tactics for each suggestion. Given a suggested premise p, the system 
will attempt to run tactics apply p, rw [ p] and simp only [ pl, and return 
the first successful tactic application that advances the state. This will then be 
displayed to the user as shown in Fig.2. She can select the resulting tactic to 
insert into the proof script. By using an asynchronous approach, we can display 
results rapidly without waiting for a slow tactic search to complete. 


6 Future Work 


There are several directions in which the current work may be developed. 

'The results may be improved by augmenting the dataset with, for instance, 
synthetic theorems, as well as developing better features, utilizing the well- 
defined structure of Lean expressions. 

'The evaluation may be extended to assess the proof-state level performance, 
and to compare with the standard Lean's suggestion tactics: library. search 


T https: //github.com/BartoszPiotrowski/lean-premise-selection#reproducing- 
evaluation. 
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eco TacticTest.lean — lean-premise-selection 08 
TacticTest.lean 4, M ea/ € t. "E «O ADe.. Lean Infoview 
FEE v Tactic state « ¥ 


import Mathlib.Algebra.Group.Defs 
import PremiseSelection. Tactic . M: Type u 
import PremiseSelection.Widget HN inst t : RightCancelMonoid M 
D ab: M 
open PremiseSelection L +axb=b®a=1 
» vPremise Selection 


variable (M : Type u} [RightCancelMonoid M] (a b : M) d O Show failed suggestions. 


Homes Dg up ense d oeil Geq comm @rw [eq_comm]+ b=a*bea=l 
rw [eq comm] Gmul left eq self # apply mul left eq self 
suge§st_premises GIff.intro @apply Iff.intro- a*b-b—a-1 


finished checking 14 items 


Fig. 2. The interactive tool in Visual Studio Code. The left pane shows the source file 
with the cursor over a suggest. premises tactic. The right pane shows the goal state 
at the cursor position and, below, the suggested lemmas to solve the goal. Suggestions 
annotated with a checkbox advance the goal state, suggestions annotated with confetti 
close the current goal. Clicking on a suggested tactic (e.g. apply mul. left eq self) 
automatically appends to the proof script on the left. 


and suggest. It could be beneficial to combine these tactics — which use sctrict 
matching — with our tool based on statistical matching. 

Applying modern neural architectures in place of the simpler ML algorithms 
used here is a promising path [7,12,16,18]. It would depart from our philosophy 
of a lightweight, self-contained approach as the suggestions would come from an 
external tool, possibly placed on a remote server. However, given the strength 
of the current neural networks, we could hope for higher-quality predictions. 
Moreover, neural models do not require hand-engineered features. The results 
presented here could serve as a baseline for comparison. 

Finally, premise selection is an important component of ITP hammer sys- 
tems |3]. The presented tool may be readily used for a hammer in Lean, which 
has not yet been developed. 
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Abstract. This work describes a new version of a previously published 
Python package — gym-saturation: a collection of OpenAI Gym envi- 
ronments for guiding saturation-style provers based on the given clause 
algorithm with reinforcement learning. We contribute usage examples 
with two different provers: Vampire and iProver. We also have decou- 
pled the proof state representation from reinforcement learning per se 
and provided examples of using a known ast2vec Python code embed- 
ding model as a first-order logic representation. In addition, we demon- 
strate how environment wrappers can transform a prover into a problem 
similar to a multi-armed bandit. We applied two reinforcement learn- 
ing algorithms (Thompson sampling and Proximal policy optimisation) 
implemented in Ray RLlib to show the ease of experimentation with the 
new release of our package. 


Keywords: Automated theorem proving - Reinforcement learning - 
Saturation-style proving - Machine learning 


1 Introduction 


This work describes a new version (0.10.0, released 2023.04.25) of a pre- 
viously published [28] Python package — gym-saturation!: a collection of 
OpenAI Gym [6] environments for guiding saturation-style provers (using the 
given clause algorithm) with reinforcement learning (RL) algorithms. The new 
version partly implements the ideas of our project proposal [29]. The main 
changes from the previous release (0.2.9, on 2022.02.26) are: 


— guiding two popular provers instead of a single experimental one (Sect. 3) 
— pluggable first-order logic formulae embeddings support (Sect. 4) 


1 https: //pypi.org/project /gym-saturation/. 
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— examples of experiments with different RL algorithms (Sect. 5) 
— following the updated Gymnasium [35] API instead of the outdated OpenAI 
Gym 


gym-saturation works with Python 3.8+. One can install it by pip install 
gym-saturation or conda install -c conda-forge gym-saturation. Then, 
provided Vampire and/or iProver binaries are on PATH, one can use it as any 
other Gymnasium environment: 


import gymnasium 
import gym_saturation 


f v0 here is a version of the environment class, not the prover 

env = gymnasium.make("Vampire-vO") # or "iProver-v0" 

f edit and uncomment the following line to set a non-default problem 

# env.set task("a-TPTP-problem-path") 

observation, info - env.reset() 

print("Starting proof state:") 

env.render() 

# truncation means finishing an episode in a non-terminal state 

# e.g. because of the externally imposed time limit 

terminated, truncated = False, False 

while not (terminated or truncated): 
# apply policy (e.g. a random available action) 
action = env.action_space.sample(mask=observation["action_mask"]) 
print("Given clause:", observation["real_obs"] [action] ) 
observation, reward, terminated, truncated, info = env.step(action) 

print("Final proof state:") 

env.render () 

env.close() 


2 Related Work 


Guiding provers with RL is a hot topic. Recent projects in this domain 
include TRAIL (Trial Reasoner for AI that Learns) [2], FLoP (Finding Longer 
Proofs) [37], and lazyCoP [26]. We will now compare the new gym-saturation 
features with these three projects. 

Usually, one guides either a new prover created for that purpose (lazyCoP; 
FLoP builds on fCoP [14], an OCaml rewrite of older leanCoP [19]) or an exper- 
imental patched version of an existing one (TRAIL relies on a modified E [27]). 
Contrary to that, gym-saturation works with unmodified stable versions of 
Vampire [15] and iProver [10]. 

In addition, known RL-guiding projects are prover-dependent: FLoP could, 
in principle, work with both fCoP and leanCoP but reported only fCoP experi- 
ments. TRAIL claims to be reasoner-agnostic, but to our best knowledge, no one 
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has tried it with anything but a patched E version it uses by default. [26] men- 
tions an anonymous reviewer’s suggestion to create a standalone tool for other 
existing systems, but we are not aware of further development in this direction. 
Quite the contrary, we have tested gym-saturation compatibility with two dif- 
ferent provers (Vampire and iProver). 

Deep learning models expect their input to be real-valued tensors and not, 
for example, character strings in the TPTP [32] language. Thus, one always uses 
a representation (or embeddings) — a function mapping a (parsed) logic formula 
to a real vector. In lazyCoP and FLoP parts of embedding functions belong to 
the underlying provers, making it harder to vary and experiment with (e.g., one 
needs Rust or OCaml programming skills to do it). gym-saturation leaves the 
choice of representation open and supports any mapping from TPTP-formatted 
string to real vectors. The version described in this work also provides a couple 
of default options. 


3 Architecture and Implementation Details 


3.1 Architecture 


gym-saturation is compatible with Gymnasium [35], a maintained fork of now- 
outdated OpenAI Gym standard of RL-environments, and passes all required 
environment checks. As a result of our migration to Gymnasium, its maintainers 
featured gym-saturation in a curated list of third-party environments?. 

Previously, gym-saturation guided an experimental pure Python prover [28] 
which happened to be too slow and abandoned in favour of existing highly effi- 
cient provers: Vampire and iProver. 

Although the gym-saturation user communicates with both iProver and 
Vampire in the same manner, under the hood, they use different protocols. For 
Vampire, we relied on the so-called manual (interactive) clause selection mode 
implemented several years ago for an unrelated task [11]. In this mode, Vampire 
interrupts the saturation loop and listens to standard input for a number of a 
given clause instead of applying heuristics. Independent of this mode, Vampire 
writes (or not, depending on the option show all) newly inferred clauses to 
its standard output. Using Python package pexpect, we attach to Vampire’s 
standard input and output, pass the action chosen by the agent to the former 
and read observations from the latter. In manual clause selection mode, Vampire 
works like a server awaiting a request with an action to which it replies (exactly 
what an environment typically does). 

iProver recently added support of being guided by external agents. An agent 
has to be a TCP server satisfying a particular API specification. So, iProver 
behaves as a client which sends a request with observations to some server and 
awaits a reply containing an action. To make it work with gym-saturation, we 
implemented a relay server. It accepts a long-running TCP connection from a 
running iProver thread and stores its requests to a thread-safe queue, and pops 


? https:/ /gymnasium.farama.org/environments/third party environments/. 
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a response to it from another such queue filled by gym-saturation thread. See 
Fig. 1 for a communication scheme. 


get observation 
from queue 


Relay Server thread 


observations 


gym-saturation queue 


(main thread) 


put action 


: TCP request 
into queue 


observation 


TCP response 
action 


iProver thread 


Fig. 1. gym-saturation interacting with iProver 


3.2 Implementation Details 


Clause Class. A clause is a Python data class having the following keys and 
respective values: 


— literals — a string of clause literals in the TPTP format, e.g. 
‘member (X0,bb) | member (X0,b)? 
— label — a string label of a clause, e.g. ‘21’. Some provers (e.g. Vampire) 


use integer numbers for labelling clauses, but others (e.g. iProver) use an 
alphanumeric mixture (e.g. ‘c_54’) 

— role — a string description of a clause role in a proof (hypothesis, negated 
conjecture, axiom, et cetera) 

— inference_rule — a string name of an inference rule used to produce the 
clause. It includes not only resolution and superposition but also values like 
‘axiom’ and ‘input’ (for theorem assumptions) 

— inference_parents — a tuple of clause labels if needed by the inference rule 
(‘axiom’ doesn't need any, ‘factoring’ expects only one, ‘resolution’ — two, 
et cetera) 

— birth_step — an integer step number when the clause appeared in the proof 
state. Axioms, assumptions, and the negated conjecture have birth step zero. 
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All these fields except the birth_step (computed by the environment itself) 
are already available as separate entities (and not parts of TPTP-formatted 
strings) in iProver and Vampire output. 


Environment Class 


Observation is a Python dictionary with several keys: 


— real obs is a tuple of all clauses (processed and unprocessed). It can be 
transformed to tensor representation by so-called observation wrappers’. The 
gym-saturation provides several such wrappers for cases of external embed- 
dings service or hand-coded feature extraction function 

— action mask is a numpy [13] array of the size max_clauses (a parameter 
which one can set during the environment object instantiation) having a value 
1.0 at index i if and only if a clause with a zero-based order number i currently 
exists and can be a given clause (e.g. not eliminated as redundant). All other 
values of action_mask are zeros. This array simplifies tensor operations on 
observation representations. 


Limiting the total number of clauses in a proof state is a proxy of both random- 
access memory (each clause needs storage space) and time (a prover has to 
process each clause encountered) limits typical for the CASC [33] competition. 
One can add a standard Gymnasium time-limit wrapper to limit the number of 
steps in an episode. Setting wall-clock time and RAM limits is not typical for 
RL research. 


Action is a zero-based order number of a clause from real_obs. If a respective 
action_mask is zero, an environment throws an exception during the execution 
of the step method. 


Reward is 1.0 after a step if we found the refutation at this step and 0.0 otherwise. 
One can change this behaviour by either Gymnasium reward wrappers or by 
collecting trajectories in a local buffer and postprocessing them before feeding 
the trainer. 


Episode is terminated when an empty clause $false appears in the proof state 
or if there are no more available actions. 


Episode is truncated when there are more than max_clauses clauses in the proof 
state. Since the state is an (extendable) tuple, we don’t raise an exception when 


a prover generates a few more clauses. 


Info dictionary is always empty at every step by default. 


3 https:/ /gymnasium.farama.org/api/wrappers/observation wrappers/. 
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Render modes of the environment include two standard ones (‘human’ and 
‘ansi’), the first one printing and the second one returning the same TPTP 
formatted string. 


Multi-task Environment. The latest gym-saturation follows a Meta-World 
benchmark [36] style and defines set_task method with one argument — a 
TPTP problem full path. If one resets an environment without explicitly setting 
a task in advance, the environment defaults to a simple group theory problem 
(any idempotent element equals the identity). Having a default task helps us 
keep compatibility with algorithms not aware of multi-task RL. One can inherit 
from gym-saturation environment classes to set a random problem at every 
reset or implement any other desirable behaviour. 


4 Representation Subsystem 


4.1 Existing First-Order Formulae Representations and Related 
Projects 


As mentioned in Sect.2, to apply any deep reinforcement learning algorithm, 
one needs a representation of the environment state in a tensor form first. There 
are many known feature engineering procedures. It can be as simple as clause 
age and weight [25], or information extracted from a clause syntax tree [18] or 
an inference lineage of a clause [30]. Representing logic formulae as such is an 
active research domain: for example, in [23], the authors proposed more than a 
dozen different embedding techniques based on formulae syntax. In communities 
other than automated deduction, researchers also study first-order formulae rep- 
resentation: for example, in [5], the authors use semantics representation rather 
than syntax. One can also notice that first-order logic (FOL) is nothing more 
than a formal language, so abstract syntax trees of FOL are not, in principle, 
that different from those of programming language statements. And of course, 
encoding models for programming languages (like code2vec [4] for Java) exist, 
as well as commercially available solutions as GPT-3 [7] generic code embeddings 
and comparable free models like LLaMA [34]. 

To make the first step in this direction, we took advantage of existing pre- 
trained embedding models for programming languages and tried to apply them 
to a seemingly disconnected domain of automated provers. 


4.2  ast2vec and Our Contributions to It 


In [20], the authors proposed a particular neural network architecture they called 
Recursive Tree Grammar Autoencoders (RTG-AE), which encodes abstract syn- 
tax trees produced by a programming language parser into real vectors. Being 
interested in education applications, they also published the pre-trained model 
for Python [21]. To make use of it for our purpose, we furnished several technical 
improvements to their code (our contribution is freely available?): 


^ https: //gitlab.com/inpefess/ast2vec. 
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— a TorchServe [24] handler for HTTP POST requests for embeddings 
— request caching with the Memcached server [9] 
— Docker container to start the whole subsystem easily on any operating system 


Observation Wrapper / Docker container V container 
gym-saturation 
environment model 


boolean expression JSON 
TPTPclause in Python Jequest d 


| 
| 
I new 
| 
| 


x 
A MEN statements 
I 
T TUII 
[| H d `a 
, action gr Mrs TorchServe 
i Pr JSON handler 
i 37 response 
1 p tensor 
! T observation 


k^ [ 

cache new embeddings | 

or get previously cached! 

L| 

Deep RL agent 
memcached 


server 


Fig. 2. gym-saturation communication with ast2vec 


To integrate the ast2vec server with gym-saturation environments, we 
added Gymnasium observation wrappers, one of them mapping a clause in the 
TPTP language to a boolean-valued statement in Python (in particular, by 
replacing logic operation symbols, e.g. = in TPTP becomes == in Python). See 
Fig.2 for a communication diagram. In principle, since a clause doesn't contain 
any quantifiers explicitly, one can rewrite it as a boolean-valued expression in 
many programming languages for which pre-trained embeddings might exist. 


4.3 Latency Considerations 


Looking at Fig.2, one might wonder how efficient is such an architecture. The 
average response time observed in our experiments was 2ms (with a 150ms 
maximum). A typical natural language processing model which embeds whole 
texts has a latency from 40 ms to more than 600 ms [17] (depending on the model 
complexity and the length of a text to embed) when run on CPU, so there is 
no reason to believe that ast2vec is too slow. When evaluating a prover, one 
usually fixes the time limit: for example, 60s is the default value for Vampire. 
Being written in C++ and with a cornucopia of optimisation tweaks, Vampire 
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can generate around a million clauses during this relatively short timeframe. 
Thus, to be on par with Vampire, a representation service must have latency 
around 60 ps (orders of magnitude faster than we have). There can be several 
ways to lower the latency: 


— inference in batches (one should train the embedding model to do it; ast2vec 
doesn't do it out of the box). The improvement may vary 

— use GPU. NVIDIA reports around 20x improvement vs CPU [16]. However, 
throwing more GPUs won't be as efficient without batch inference from the 
previous point 

— request an embedding for a binary object of an already parsed clause instead 
of a TPTP string. It means not repeating parsing already done by a prover, 
which might lower the latency substantially. To do this, one will have to patch 
an underlying prover to return binary objects instead of TP'TP strings 

— use RPC (remote procedure call) instead of REST protocol. TorchServe relies 
on REST and parcels in JSON format, and in gRPC [12], they prefer the 
binary protobuf format. One rarely expects sub-millisecond latency from 
REST, although for RPC, 150s is not unusual. This point doesn’t make 
much sense without the previous one 


5 Usage Examples 


We provide examples of experiments easily possible with gym-saturation as 
a supplementary code to this paper”. We don’t consider these experiments as 
being of any scientific significance per se, serving merely as illustrations and basic 
usage examples. Tweaking the RL algorithms’ meta-parameters and deep neural 
network architectures is out of the scope of the present system description. 

We coded these experiments in the Ray framework, which includes an RLlib 
— a library of popular RL algorithms. The Ray is compatible with Tensor- 
flow [1] and Py Torch [22] deep learning frameworks, so it doesn’t limit a potential 
gym-saturation user by one. 

In the experiments, we try to solve SETOO1-1 from the TPTP with 
max clauses-20 (having no more than twenty clauses in the proof state) for 
guiding Vampire and max. clauses-15 for iProver. This difference is because 
even a random agent communicating to iProver manages to always solve 
SETOO1-1 by generating no more than twenty clauses. We wanted training to 
start, but keep the examples as simple as possible, so we chose to harden the 
constraints instead of moving on to a more complicated problem. 

In one experiment, we organise clauses in two priority queues (by age and 
weight) and use an action wrapper to map from a queue number (0 or 1) to the 
clause number. That means we don't implant these queues inside provers but 
follow a Gymnasium idiomatic way to extend environments. Of course, Vampire 
and iProver have these particular queues as part of their implementation, but 
our illustration shows one could use any other priorities instead. It transforms 


5 https:/ /github.com/inpefess/ray-prover /releases/tag/v0.0.3. 
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our environment into a semblance of a 2-armed bandit, and we use Thompson 
sampling [3] to train. This experiment reflects ideas similar to those described 
in [31]. 

In another experiment, we use ast2vec server for getting clause embeddings 
and train a Proximal Policy Optimisation (PPO) algorithm as implemented in 
the Ray RLlib. The default policy network there is a fully connected one, and 
we used 256 x 20 tensors as its input (256 is an embedding size in ast2vec, and 
20 is the maximal number of clauses we embed). So, the policy chooses a given 
clause given the embeddings of all clauses seen up to the current step (including 
those already chosen or judged to be redundant /subsumed). Such an approach 
is more similar to [37]. 


Fig. 3. Episode reward mean vs the total number of steps. The blue line is for a random 
agent and the orange one — for the PPO. Both agents guide Vampire (Color figure 
online) 


We provide Fig. 3 as a typical training process chart. 


6 Conclusion and Future Work 


We contributed a new version of gym-saturation, which continued to be free 
and open-source software, easy to install and use while promising assistance 
in setting up experiments for RL research in the automated provers domain. 
In the new version, we enabled anyone interested to conduct experiments with 
RL algorithms independently of an underlying prover implementation. We also 
added the possibility of varying representations as external plug-ins for further 
experimentation. We hope that researchers having such an instrument can focus 
on more advanced questions, namely how to generate and prioritise training 
problems to better transfer search patterns learned on simpler theorems to harder 
ones. 
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Our experience with adding Vampire and iProver support to gym-saturation 
shows that working tightly with corresponding prover developers is not manda- 
tory, although it might help immensely. Implementing the prover guidance 
through the standard I/O (as in Vampire) seems to be relatively easy, and we 
hope more provers will add similar functionality in future to be more ML-friendly. 
Such provers could then profit from using any other external guidance (see [8] 
for a different system using the same iProver technical features as we did). 

We identify a discerning and computationally efficient representation service 
as a bottleneck for our approach and envision an upcoming project of creating 
a universal first-order logic embedding model usable not only by saturation- 
style provers but also tableaux-based ones, SM T-solvers, semantic reasoners, 
and beyond. 
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Abstract. This paper establishes cut-elimination for wLL°, uLK?? and 
LLJ^?, that are non-wellfounded sequent calculi with least and greatest 
fixed-points, by expanding on prior works by Santocanale and Fortier [20] 
as well as Baelde et al. [3,4]. The paper studies a fixed-point encoding 
of LL exponentials in order to deduce those cut-elimination results from 
that of MALL”. Cut-elimination for uLK?^? and uLJ?? is obtained by 
developing appropriate linear decorations for those logics. 


Keywords: LL - -calculus - Non-wellfounded proofs - cut elimination 


1 Introduction 


On the Non- Wellfounded Proof-Theory of Fixed-Point Logics. In the context of 
logics with induction and coinduction (such as logics with inductive definitions à 
la Martin Lóf [6,9,10,25], or variants of the p-calculus [11,22,23]), the need for a 
(co)inductive invariant (in the form of the Park's rule for induction) is replaced 
by the ability to pursue the proof infinitely, admitting non-wellfounded branches, 
when considering non-wellfounded and circular proofs (also called cyclic, or reg- 
ular proofs, since the proof tree is a regular tree, with finitely many distinct 
subtrees). In such frameworks, sequent proofs may be finitely branching but 
non-wellfounded derivation trees and infinite branches shall satisfy some valid- 
ity condition. (Otherwise one could derive any judgement, see Fig. 1(a).) Various 
validity conditions have been considered in the literature [3]. 

'The non-wellfounded and circular proof-theory of fixed-points attracted a 
growing attention first motivated by proof-search [1,7,8,16-18,28|] and more 
recently by a Curry-Howard perspective, studying the dynamics of the cut- 
elimination in those logics [4, 20,29] where formulas correspond to (co)inductive 
types. Notice also that when interested in the computational content of proofs, 
we will not focus solely on the regular fragment as we expect, for instance, that 
we can write a regular program that computes a non-ultimately periodic stream. 


This work was partially funded by the ANR project RECIPROG, project reference 
ANR-21-CEA8-019-01. 


© The Author(s) 2023 
R. Ramanayake and J. Urban (Eds.): TABLEAUX 2023, LNAI 14278, pp. 203-222, 2023. 
https://doi.org/10.1007/978-3-031-43513-3 12 


204 A. Saurin 


rroxx "U Foxxa ” FIO FCLAD FDiE nail 
LITOECSTORT paisa eae mcut(., IL 
-Luxx US Foxxa ” BT, A, 2 

FTA (Sun 
(a) i (b) 


Fig. 1. (a) Example of an invalid circular pre-proof (b) Schema of the multicut rule 


Cut-Elimination and LL. When studying the structure of proofs and their cut- 
elimination properties, LL, Girard’s Linear Logic [21], is a logic of choice: the 
careful treatment of structural rules gives access to a lot of information and a 
fine-grained control over cut-reduction. The constrained use of structural rules 
indeed renders the cut-elimination theorem more informative than in LJ and of 
course LK. Interestingly it provided a positive feedback on the understanding of 
LJ and LK: by decorating intuitionistic and classical proofs with enough expo- 
nential modalities (!,?), they can become LL proofs and one can therefore refine 
the original cut-elimination relations [12,21]. This approach impacted the under- 
standing of evaluation strategies of programming languages such as call-by-name 
and call-by-value notably. Another way to view this is by noting that, in LK, the 
additive and multiplicative presentations of conjunction (resp. disjunction) can 
be shown to be interderivable thanks to structural rules. This fails in LL and it 
is the reason why LL has well-established additive — 6, &, 1,0 — (resp. multi- 
plicative '9,G, L, 1) fragments. It is the role of the exponential fragment to relate 
the additive and multiplicative worlds, by mean of the fundamental equivalence: 
!A@!B JA- !(A&B) (and its dual, ? A'?? B A- ?(A @ B)). The exponential 
modalities are precisely introduced where structural rules are needed to restore 
the equivalence between the additive and multiplicative conjunctions; in cate- 
gorical models of LL [26], this principle is referred to as Seely isomorphisms. 


Cut- Elimination for Non- Wellfounded Proofs. Proving cut-elimination results 
for non-wellfounded proofs in the presence of least and greatest fixed-points 
requires to use reasoning techniques coping with the non-inductive structure 
of the considered formulas (fixed-points formulas regenerate) and proof objects 
(which are non-wellfounded). For instance, Santocanale and Fortier [20] proved 
cut-elimination for the regular fragment of non-wellfounded proofs of purely 
additive linear logic with fixed points, uL ALL??, while Baelde et al. [4] proved 
cut-elimination for non-wellfounded proofs with additive and multiplicative con- 
nectives, wMALL°°. In both cases, the proof relies on a generalization of the 
cut-rule, the multicut rule (which abstracts a portion of a proof tree consti- 
tuted only of cut inferences see Fig. 1(b)) and on a reasoning by contradiction 
to prove that one can eliminate cuts at the limit of an infinite cut reduction 
sequence, while preserving the validity condition. Baelde et al. [3,4] use a so- 
called "locative" approach by modelling sequents as sets of formulas paired with 
addresses which determines uniquely the formula occurrence in a sequent and 
makes explicit the ancestor relation used to trace the progress along branches. 
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Moreover, the cut-elimination proof proceeds by a rather complex semantical, 
roundabout, argument relying on a soundness theorem. 

In a slightly different direction, Das and Pous [15] proved a cut-elimination 
result for Kleene algebras and their variants. This can be viewed as a non- 
commutative version of intuitionistic MALL with a particular form of inductive 
construction, Kleene’s star. Kuperberg et al [24] and more specifically Pinault’s 
PhD thesis [27] as well as Das [13] examine non-wellfounded versions of System 
T based on [15], exploring the computational content of non-wellfounded proofs. 

Neither Santocanale and Fortier’s [20,29], nor Baelde et al. [3,4] works cap- 
tured full linear logic: the exponentials are missing and the proofs cannot deal 
with them in a simple way. Indeed, the proof for wALL strongly relies on the 
assumption the sequents are pairs of formulas (A + B) while in wMALL, the 
locative approach taken by Baelde et al. is not well-suited to work with struc- 
tural rules: the extension of the proof would be possible though highly technical. 
In contrast, our motto in the present work is to work with traditional sequents 
as lists of formulas and to exploit the (co)inductive nature of LL exponentials. 


On the (Co)Inductive Nature of Exponential Modalities in Linear Logic. The 
original works by Baelde and Miller on fixed-points in linear logic [2,5] focus on 
MALL only and present an encoding of the exponential modalities of LL using 
least and greatest fixed points. Indeed, the ? and ! modalities have an infinitary 
character which is well-known from the early days of linear logic (see Section 
V.5 of Girard’s seminal paper [21]) and which is in fact respectively inductive 
for ? and coinductive for !; let us discuss it briefly here. 

One can decide to contract a ?-statement any finite number of times before 
it is ultimately weakened or derelicted. It is therefore natural to represent ? A 
with formula ?* A = uX.A e (L e (X’9X)): A allows for dereliction, L for 
weakening and X’9X will regenerate, by unfolding, two copies of ?* A, making the 
contraction derivable. The & and y connectives respectively provide the ability 
to choose either of those three inferences and to repeat finitely this process. 

On the other hand, a !-formula is a formula which, during cut-elimination, 
shall maintain a proper interaction with any number of contractions, weakenings 
or derelictions: a proof concluded with a promotion shall be able to react to any 
number of duplications or erasure before the promotion actually interact with 
a dereliction to open the exponential box: from that follows the coinductive 
character of ! A modelled as !'* A = vX.A&(1&(X & X)). 

As discussed above and formally established by Baelde and Miller [5], the 
exponential rules can be derived in the finitary sequent calculus uMALL: to any 
LL provable sequent can be associated a provable MALL sequent via the above 
translations of the exponentials. However, until now one can hardly say more 
about this embedding for two deep reasons: (i) the fundamental Seely isomor- 
phisms which relate the additive and multiplicative versions of conjunction (resp. 
disjunction) are still derivable through this encoding but they are no more iso- 
morphisms and (ii) on the provability level as well, the encoding is not faithful: 
the MALL provability of the translation of an LL sequent s does not entail the 
LL provability of s itself (counter-example due to Das [14]). A contribution of 
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the present paper is to put to work Baelde and Miller’s encoding, showing that, 
in the case of non-wellfounded proofs, its structure is faithful enough to extract 
information of the cut-reduction behaviour of the logic. 


Contributions and Organization of the Paper. The main result of this paper 
is a cut-elimination theorem for uLL??, the non-wellfounded sequent calcu- 
lus for linear logic extended with least and greatest fixed points. Our proof 
proceeds by encoding LL exponentials in wMALL® and studying uLL® cut- 
reduction sequences through their simulation in pz»MALL® which may be a trans- 
finite sequence. In Sect. 2, we introduce our logics, u; MALL??, uLL??, uLK?? and 
LJ, altogether with their non-wellfounded proofs and validity conditions. We 
adapt wMALL® cut-elimination theorem [4] to our setting where sequents are 
lists and prove a compression lemma for uMALL?? transfinite cut-reduction 
sequences. Section3 constitutes the core of our paper: we define uLL® cut- 
reduction rules, study the encoding of exponentials in uMALL?? and show that 
LLL?? cut-reduction steps can be simulated in wzMALL®, before proving uLL?? 
cut-elimination theorem. We prove in Sect. 4, as corollaries, cut-elimination for 
uLK® and uLJ®, the non-wellfounded sequent-calculi for classical and intu- 
itionistic logic. While our result for uLL?? shows that any fair cut-reduction 
sequence produces a cut-free valid proof, our two other cut-elimination results 
are truly (infinitary) weak-normalization results. We finally conclude in Sect. 5 
with perspectives. A major advantage of our approach is that pMALL® cut- 
elimination proof and, to some extent, the validity conditions, are regarded as 
black boxes, simplifying the presentation of the proof and making it reusable 
wrt. other validity conditions or uMALL*?? proof techniques. An additional by- 
product of our approach, to the theory of linear logic, is to illustrate the fact 
that Seely isomorphisms are not needed to reach a cut-free proof. 

A companion technical report containing additional details on the definitions 
as well as full proofs is available online [30]. 


2 Non-Wellfounded Proofs: uMALL*??, uLL®, wLK®, 
uL J^? 


2.1 y-Signatures and Formulas 


Definition 1 (j-signature). A -signature is a set C of pairs (c,p) of a con- 
nective symbol c and a tuple p of elements of {+,—}. The arity of c, ar(c), is 
the length of p, while the elements of p indicate the mono/antitonicity of the 
connective in the given component. The empty tuple will be denoted as ()'. 
Example 2 (u-signature associated with pMALL, uLL, uLK, uLJ). The p- 
signatures associated with MALL, uLL, uLK, uLJ are: 


! u-signature can be enriched to consider quantifiers but we restrict to the proposi- 
tional case here. 
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— pMALL signature: Camal = V8, 8, 8, &} x {(+,+)} U {0,1, T, L} x {O} ; 
— one-sided pLL signature: Cyt, = Camau U {!,?} x {(+)} ; 

— two-sided uLL signature: Cyt, = Curt, U {(-, (—, +)), (+, (—))} ; 

- wLK signature: Cuk = (^, V} x {(4+, 4) } U ((9, (5 +)) } U{T, FE x {0}; 
— pLJ signature: Cyty = Cu. 


Definition 3 (Pre-formulas). Given a p-signature C, a countable set V of 
fixed-point variables and a set of atomic formulas A, the set of pre-formulas 
over S is defined as the least set Fs such that: (a) AUV C Fs; (B) for every c 
of arity n in C and Fy,..., Fn € Fs, c(Fy,..., Fn) € Fs; (y) for every X € Y 
and pre-formula F € Fs, uX.F € Fs and vX.F € Fs. 


Definition 4 (Positive and negative occurrences of a variable). Given 
a n-signature C and a fixed-point variable X € V, one defines by induction 
on pre-formulas the fact, for X, to occur positively (resp. negatively) in a pre- 
formula : (œa) X occurs positively in X; (8) X occurs positively (resp. negatively) 
in c(FA,..., Fn), for (cp) € C, if there is some 1 € i € n such that X occurs 
positively (resp. negatively) in F; and p; = + or there is some 1 < i € n such that 
X occurs negatively (resp. positively) in F; and p; = —; (y) X occurs positively 
(resp. negatively) in oY.F, for c € {u,v}, if Y # X and X occurs positively 
(resp. negatively) in F. 


Definition 5 (u-formula). A u-formula F over a signature S is a pre-formula 
containing no free fixed-point variable and such that for any sub-pre-formula of 
F of the form a X.G, all occurrences of X in G are positive. 


Definition 6. One-sided wLL formulas are those formulas defined over the sig- 
nature Curt, together with a set of atomic formulas 1a, at | a € A} for a count- 
able set A. Negation (_)+ is the involution on pre-formulas defined by: 

(g^ =a; L+ = 1; T+ = 0; (9G) =F oG (uU gpgg)-—Rkt ec 
(2 F)+ =! Ft; Xt = X; (vX.F)+ = uX.F+. 


Definition 7 (u-Fischer-Ladner subformulas). Given a u-signature C and 
a u-formula F, FL(F) is the least set of formulas such that: 


- F € FL(F); 
- e(F,..., Fa) € FL(F) > Fi,..., Fn € FL(F) fore € C; 
- cX.B € FL(F) => BleX.B/X| € FL(F) fore € {u,v}. 


Example 8. Let us consider F = vX.((@eat) Q (X & uY.X)). FL(F) is the set 
(F, (agat) & (AF & uY.F),a9a^,a, a^, F & uY.F,! F, uY.F). 


The finiteness of FL(F) makes it an adequate notion of subformula: 


Proposition 9. For any u-signature S and u-formula F, FL(F) is finite. 
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Fig. 2. (a) uMALL*?? Inferences (b)uLL® Exponential Inferences 


2.2 uL MALL*??, uLL??, wLK® & uLJ® Inference Rules 
Now, we define the inference rules associated with the above p-signatures. 


Definition 10 (Sequents and inferences). A sequent s = I'l- A over a p- 
signature S is a pair of finite lists T, A of S-formulas: I’ is the antecedent and 
A the succedent. An inference rule r, usually presented by a schema, is the 
data of a conclusion sequent, premise sequents, together with an ancestor 
relation relating formulas of the conclusion with formulas of the premises. A 
rule has a subset of distinguished principal formulas of the conclusion. 


Convention 1. In the following, the ancestor relation will be depicted as colored 
lines joining related formulas. The principal formulas of an inference are the 
formulas which are explicitly spelled out in the conclusion sequent of an inference, 
not described via a context meta-variable. A formula occurrence of an inference 
is said to be active if it is principal or related to a principal formula by the 
ancestor relation. We will freely use the derived rules obtained by pre- and 
post-composition with the exchange rule, adapting the ancestry relation 
accordingly. Finally, for one-sided sequent calculi with an involutive negation -^, 
we may write I + A for sequents - I+, A to clarify the computational behaviour 
of our examples (keeping the rule names unchanged). 


Definition 11 (uMALL*? ^, uLL**?, uLK**, uLJ9*). uMALL?? inferences are given 
in Fig. 2. Those for one-sided uLL® in Fig.2(a) and 2(b). Those for uLK?? 
in Fig.3. Those for uLJ® by considering only inference from Fig. 3 where the 
succedent of both premises and conclusion sequents are singletons. 


In the above sequent calculi, every inference but the cut satisfies the subfor- 
mula property wrt. FL-subformulae. The 2-sided uLL?? sequent calculus, over 
Cytt,, is defined as usual and not recalled here for space constraints. 
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Fig. 3. uLK?? Two-sided Inferences 


2.3 Pre-proofs and Validity Conditions 


Definition 12 (Pre-proofs). The set Psz of Z-pre-proofs associated to 
some of the above -signatures S and sets of inferences T is the set of finite or 
infinite trees whose nodes are correctly labelled with inferences and sequents. 


Pre-proofs are equipped with a metric structure as follows: we define a dis- 
tance d : Psz x Psz — Ras: d(,7) = 0 if = 7’ and d(z,7’) = 2-* where 
k is the length of the shortest position where m and x’ differ otherwise. 


Example 13. Consider uLJ formulas N = uX.T V X and S = v X.N ^ X. They 
represent nats and streams of nats. The uLJ® derivations of Fig. 4 respectively 
represent natural numbers, successor function, n:n + 1::n + 2::..., the double 
functions and the function that builds a stream enumerating the natural num- 
bers from its input: the cut-elimination process considered below will ensure 
that cutting mk with Tenum will infinitarily reduce to Ens Figure5 shows other 
examples of uLL?? pre-proofs, discussed with the validity condition. 

'The back-edge arrow to a lower sequent is notation to describe a fixed-point 
definition of the proof object: the subproof rooted in the source is equal to the 
proof rooted in the target. Trivially there is a unique solution. 


In the following, we assume given a p-signature $ and a sequent calculus S for 
this signature and we shall define the valid S-proofs as a subset of S-pre-proofs, 
by introduction a thread-based validity condition. 


Definition 14 (Thread and validity). Given a pre-proof n and an infinite 
branch B = (si)ie, in m, a thread for B is an infinite sequence 0 of formula 
occurrences such that Vi € w, 0; is a formula occurrence of s; and 0; and 6:44 
are ancestor of each other. 0 is said to support p. 

A formula F is recurring in a thread 0 of B if there are infinitely many i 
such that 0; is am occurrence of F. 

A thread 0 is valid if it contains infinitely often the principal formula (occur- 
rence) of a v or u rule and if the set of recurring formulas of 0 has a least element 
(for the usual subformula ordering) which is (i) a v formula when the least ele- 
ment occurs in the succedents or (ii) a p formula if it occurs in the antecedents. 
A pre-proof is valid if all its infinite branches have a suffix supported by a valid 
thread. 


S dem (T) Tk 
ECT (vi) ———— v} NEN 
TO=ETVN n MHI =F TVN om Tw —NETVN 
(Hr) LN ^ — 
NEN 
NEN 


Fig. 4. Examples of LJ” pre-proofs 


Example 15 ((Non-)valid pre-proofs). Consider the pre-proof in Fig.5(a), with 
F = vX((agat) & (IX & uY.X)) and G = pY.F. The rightmost branch is 
supported by the green thread for which the least recurring formula is F, a v- 
formula. All other branches are valid: this pre-proof is valid. Consider now the 
same pre-proof but with F = v.X.((@eat)@(!X@G)) and G = uY.vX.((agat)& 
(LX & Y)). G is now a subformula of F and G, a p-formula, and becomes the 
least recurring formula of all threads along the right-most infinite branch. This 
branch is invalid: the pre-proof is not a proof. Examples of uLL?? invalid pre- 
proofs are given in Fig. 1(a),5(b-c). In Fig. 4, double has a left thread on N while 
Thom? Tenum have right threads on S: they are valid. 


2.4 Non-Locative wMALL® Cut-Elimination Theorem 


The validity condition defines a subset of pre-proofs, ensuring good proper- 
ties for those non-wellfounded derivations that satisfy the validity condition. In 
this paper, we will mainly be interested in cut-elimination theorem, which was 
proved for u; MALL?? [4] and that we review in this subsection. In [4], a somehow 
stronger result than cut-elimination is proved: infinitary strong normalization 
with respect to the class of fair reduction sequences. 

The only new result developed in this subsection is the lifting of the 
occurrence-based cut-elimination result of [4] to our setting system, for which 
we first introduce the multicut inference and review the main multicut-reduction 
steps for wMALL® before defining fair reductions. The cut-elimination results 
of [4,20] do not rewrite cuts, per se, but subtrees of cuts in the form of an abstrac- 
tion called multicut which is a variable arity inference defined as follows: 


Definition 16. The multicut inference is given by the data of (i) a conclu- 
sion sequent s, (ii) a non-empty list of premises (s1,...,Sn) n > 1, (iii) an 
ancestor relation ų which is an injective map from the conclusion formulas to 
the premise formulas and relates identical formulas and additionally (iv) a cut- 
connectedness relation IL which is a total, symmetric, binary relation among 
the formula occurrences of the premises which are not ancestor of a conclusion 
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Fig. 5. Examples of valid and invalid pre-proofs 


formula, which relates dual formulas? and which satisfies a connectedness and 
acyclicity condition (see [3, 4]). The multicut inference has no principal formula. 


We write this multicut rule as: a — Sn waist is iL} 


In the following, we only consider | MALL*?? pre-proofs with specific multicuts: 


Definition 17 (uMALLz ). MALL? (pre)proofs are those (pre)proofs built 
from uMALL® inferences and the multicut, such that (i) any branch contains 
at most one multicut and (ii) any occurrence of a cut is above a multicut infer- 
ence. 


In the following, we shall always assume, even without mentioning it, that 
we consider proofs in MALL? (as well as uLLz, LJ, uLKX). We need the 
following definition (from [4]), identifying the premises of an mcut which are 
cut-connected to a given formula occurrence: 


Definition 18 (Restriction of a mcut-context). Consider an occurrence of 


a mcut mom meut(v, 1L) and assume s; to bet F3,..., Fp. We define 
Cr,,1<j < k, to be the least set of sequent occurrences contained in {81,...,5n} 
such that: 


(i) If 3k,l such that (k,I)IL(, j), then sk € Cr; 
(it) for any k, K' A i, if sk € Cr, and Jl, l' such that (k,1)1L(k’, 1’), then sw € Cr,. 
We define Co — () and Crr — CpUCrp. 


When relating wLL°° and uMALL?? mcut-sequences below, we shall consider 
not only finite sequence nor w-indexed sequences but also transfinite sequences. 
'Those are sequences of triples of a proof, a redex and the position of the redex 
in the proof tree. A position p has a depth dpth(p) which is its length. 


Definition 19 (mcut-reduction rules, transfinite sequences). 4; MALL^* 
mcut-reduction sequences are directly adapted from [3,4]. Given an ordinal A, a 
transfinite reduction sequence of length A, or ATRS, is a A-indexed sequence 
(Ti Ti,Pi)iex Such that m; —95P?: mi41, for any à such that i -- 1 € A, where the 
reduction occurs at position p; reducing mcut-redez rj. 


? When working with two-sided sequents, ll will relate identical formulas, one in a 
succedent, the other in an antecedent. 
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Definition 20 (Weak and strong convergence). A (transfinite) mcut reduc- 
tion sequence (Ti, Ti, Pilica 1s weakly converging if for any limit ordinal B € a, 
lim(m)ies = "8. (Ti, Ti, Pilica is strongly converging if it is weakly converg- 
ing and moreover for any limit ordinal B € a, lim(dpth(p;))ieg = +00. 


Remark 21. The cut-reduction rules preserve the property that every branch of 
a proof has at most one multicut inference: «MALL? is closed by cut-reduction. 


A uMALL; pre-proof 7 may contain multiple cut-redexes: 7 —+?! 7, and 
T —o12 T2. As usual, a notion of residual associates to (r1, p1), a set of redexes 
of T2, (r1, p1)/(r2, p2) which is generalized to reduction sequences: (r1, p1)/o. 


Definition 22 (Fair reduction sequences). A reduction sequence (mi, 
Ti, Pilicw is fair if for alli € w and r,p such that m; —>? «' there is some 
j 2i such that 1; does not contain a residual of (r,p) anymore. 


Theorem 23. Every fair mcut-reduction sequence of uMALL?? valid proofs of 
H I’ (strongly) converges to a cut-free valid proof of - I. 


2.5 Compressing Transfinite u MALL?? Cut-Reduction Sequences 


In the previous paragraph, we introduced not only w-indexed sequences, but 
transfinite u:MALL*?? cut-reduction sequences as we shall need reduction beyond 
w when simulating wLL° cut-elimination in ; MALL??. We shall now prove that 
a class of transfinite u;:MALL?? mcut-reduction sequences can be compressed to 
wTRS. This result can be viewed as adapting to our setting the compression 
lemma from infinitary rewriting [31], even though we require more on the struc- 
ture of the compressed sequences as it will be useful to establish uLL?? cut- 
elimination. 


Definition 24 (Depth-increasing). A 4 MALL?? cut reduction sequence o = 
(Ti, Ti, Pi)icw is depth-increasing if (dpth(p;));e, is (weakly) increasing. 


Definition 25 (Reordering). An mcut reduction sequence o = (Ti,Ti,Di)ico 
is a reordering of o' = (vir. p;)ieg if there is a bijection o between a and B 
such that for any i € a, (roa Pow) = (ri, pi). 


Proposition 26 (Compression lemma). Leto = (Ti, ri, Pilica be a strongly 
converging uIMALL*?? transfinite cut-reduction sequence. There exists a uMALL^? 
cut-reduction sequence Comp(c) = (mirip;)ieg which is a reordering of c, 
depth-increasing, strongly converging with the same limit as o and such that 
DB — a ifa is finite and B =w otherwise. 


3  Cut-Elimination Theorem for uLL?? 


'The aim of this section is to prove the following theorem: 
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Theorem 27. For any valid uLL?? proof m, fair uLL® mcut-sequences from m 
converge to cut-free uLL?? proofs. 


The idea of the proof and outline of the present section are as follows: 


1. We shall first define the cut-reduction rules for wLL° by extending u; MALL^? 
multicut-reduction with rules for reducing exponential cuts. 

2. We then encode exponentials with fixed-points and translate wLL° sequents 
(resp. pre-proofs) into MALL”, preserving validity both ways. 

3. We will then simulate wLL°° reductions in MALL: a single wLL° step may 
require an infinite, or even transfinite, «MALL mcut-reduction sequence. 

4. Finally, we will study the simulation of fair wLL°° cut-reduction sequences. 
Even though the simulation of uLL?? sequences builds transfinite sequences, 
we shall see that one can associate a(n almost) fair yMALL® mcut-reduction 
sequence to any fair wLL°° mcut-reduction sequence, and conclude. 
'The next four subsections will closely follow the above pathway. 


3.1 Cut-Elimination Rules for wll? 


uLL® mcut-reduction is defined by extending uIMALL?? multicut-reduction with 
the steps given in Fig.6. The reduction rules for the exponentials assume a 
condition on the premisses of the multi-cut rule: all the proofs (hereditarily) cut- 
connected to some distinguished formula must have promotions as last inferences. 


Definition 28 ((!p)-ready contexts). A subset of the subproofs of a multicut 
is said to be (!p)-ready if all its elements are concluded with an (!p) rule. C' will 
denote a (!p)-ready context and C} a context restriction which is (!p)-ready. 


Remark 29. The condition for triggering the exponential key reductions 
(?w)/(!p) and (?c)/(!p) as well as the (!p)-commutation rule is expressed in 
terms of (!p)-readiness: for every ?-formula ?G in the context of a promotion 
which shall either commute or cut-reduce with a ?-rule, we require that C» is 


(!p)-ready. 


3.2 Embedding uLL® in uL MALL?? 


To extend the cut-elimination result from 4, MALL?? to uLL??, we encode the 
exponential connectives using fixed points as follows, following Baelde [2]: 


Definition 30. ?°(F) = pX.F 9 (16 (X9X)); *(F) 2vX.F&(1&(X & X)) 
This straightforwardly induces an embedding of wLL°° into u MALL??: 


Definition 31 (Embedding of uLL^??sequents into uMALL*??). 

(a)* =a if a is an atom (o X.F)* = oX.(F)° ,0 € (uv) 
(u)* —u ifu € {1,L,T,0} (QF)? —?*(F*) 

(Ax B)® = (A)* «(B)* if x E€ {8,9,8,9} (IF)* 1 -—l(F*) 


FAF C FAF 
(2d) mcut(.' , 1L) 
C F A,?F — HX; 
= 5 mcut(z, LL) pn " (?d) 
FA, ?F OF C -FA,?F?F 
(?c) meut(z’, 1L) 
C F A,?F — FrNX?F?F 
mcut(., 1L) T (?c) 
FTF LEX?FE 
zA (2w) C FA t(u’, 1L) 
C FATE ` FE pes i 
up T f 
EX oF mcut(., 1L) - x, ?F w 
F FID Per C 
! / 
HEP (!p) c! c FETE mcut(.', 1L) 
mcut(u, IL) 7 (!p) 
LIF, 237 LIF ?y 
FED -F.SA 
L— (vd) = ————— (tp) C FFI + Ft,2?A 
C FMR T IF—,?A = mcut(., IL’) 
mcut(., IL) d mP J| 
FE ; ; 
where ?F |L!F- and IL’ coincides with lL except for F IL’ F+. 


ELF, IRT Cr C. Cp  H?F,?F, r 
, —— — (Fe) : - mcut(.' , IL’) 
Cr Cop H?F, T — EI? 
7 mcut(+, IL) 7” — (?c) * 
EI'?X -EIT.?X 


where C; p Æ 0, IL’ corresponds to IL on Cr and is a "duplication" of ll. on C; p and 
each copy of ? F is in ll '-relation with the corresponding copy of ! F^ in Ci p. 


EX ay Cr FT T 
IN —— 
Cr Gp FED : Egg M 
meut(1, 1L) r —— — (w)* 
FI EIS 
where C p £@ and IL’ corresponds to the restriction of IL on Cr, I. 


Fig. 6. LL mcut-reduction rules 


Definition 32 (uMALL??derivability of the exponentials). yLL® exponen- 
tial rules can be encoded in uMALL?? as shown in Fig. 7. We denote the derivable 
rules by ?d*, ?c*, ?w* and !p* respectively. (!*p* uses a circular proof.) 


Proposition 33 (Preservation of validity). 7 is a valid uLL® proof of - T 
iff n? is a valid uMALL?? proof of - T'*. 


Proof (Proof sketch). We simply relate the infinite branches in both pre-proofs. 
Assuming that 7 is valid, consider the special case of an infinite branch f of m° 
that, when entering the encoding of a promotion, follows the left-most premise of 
the (&) rule. To such an infinite branch it is easy to associate an infinite branch 
b of v. b is valid and supported by a thread t with least formula v X.F. (v X.F)* 
is the least recurring formula in the thread 0 associated with t in 8: B is valid. 
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E? ETFA LA 
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i p ae e D 
HEA ^ |Freue(rFerPnA ?)lrrFeue("FerF),A 
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Promotion : 


HPF, A LIF 2A 
— wW . . LI 7% (8) 
F1 " HI Fo F,2*A,?7*A 4 
(?w*) ————— ——— (?c*) 
EETA FLA HI Falk 2A 
— (^) , (8) , (&) 
EI*E,?SA 


Fig. 7. pMALL® encoding of the exponential inferences 


3.3 Simulation of uLL?? Cut-Elimination Steps 


Now we have to show that uLL® cut-elimination steps can be simulated by the 
previous encoding. E.g., the commutation rule for dereliction is simulated by a 
(44) /(Cut) commutation followed by a (@)/(Cut) commutation as follows: 


H F,G, I dud FAGIT FGLA 
F*EGQP FGL,A E FETA on 

Cu ———————— (° 

F*EDA E39 F*EnA C 


The challenge is to show that the simulation of reductions also holds (1) for 
the reductions involving (!p) as well as (ii) for reductions occurring above a 
promotion rule (aka. in a box) since the encoding of [!p] uses an infinite, circular 
derivation. In the promotion commutation case for instance, we have: 


dos FE GL,?7*A 
H F?G,D + G-,7*A —— (P) 
—— (Ip*) TRTE B3 QE F, 2G, Pr  HeGt 7A 
Ep7]G,?*D EI*G-,?7* A ER: (Cut) 
- (Cut) PETRA 
EIE, TSDUS A ———————— (Ip*) 
HI. F, 2° ?7* A 


Proposition 34. Each uLL?? mcut-reduction r can be simulated in uMALL?? 
by a (possibly infinite) sequence of mcut-reductions, denoted r°. 


Remark 35. Conversely, one can wonder whether a possible reduction in 7° nec- 
essarily comes from the simulation of a reduction step in m. It is almost the 
case except when the reduction in m° comes from exponential cuts requiring 
a (!p)-ready context (ie. (!p) commutation as well as (?w)/(!p) and (?c)/(!p) 
key cases, see above): in those cases indeed, if the context is “partially ready” 
— meaning that some, but not all, the required premises are promoted — a prefix 
of the sequence simulating the reduction step can indeed be performed, before 
being stuck. As consequence — and we shall exploit it in the next section when 
proving uLL® cut-elimination — the simulation of a fair reduction sequence is 
not necessarily fair, but only as long as the above cases are involved: 
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Proposition 36. There exists a fair reduction p from some uLL?? (pre-)proof 
am such that p° is an w-indexed unfair uMALL?? cut-reduction sequence. 


3.4 Proof of uLL?? Cut-Elimination Theorem 
LLL?? cut-elimination theorem follows from the following two lemmas: 


Lemma 37. Let * be a uLL??-proof of - I' and o = (vi,ri,pi)ieu a fair uLL** 
cut-reduction sequence from m. o converges to a cut-free uLL*? -pre-proof of - I. 


Lemma 38. Let m be a uLL® pre-proof of į I and let us consider a cut- 
reduction sequence o = (Ti, Ti, Pijicw in ULL™ from r that converges to a cut-free 
uLL® pre-proof x’. o° is a strongly converging (possibly transfinite) sequence. 


Proof (Sketch for Thm. 27). Let m be a uLL*?-proof of - T and e = (Ti, ri, pi)ieu 
be a fair wLL° mcut-reduction sequence from 7. Consider the associated (trans- 
finite) wMALL® mcut-reduction sequence o° from «* obtained by simulation. 
By Lemma 37, c converges (strongly) to a cut-free uLL?? pre-proof n’. 

Let us prove that 7' is valid. By Lemma 38, o° is a transfinite mcut-reduction 
sequence from 7° strongly converging to 1'*. By Prop. 26, o° can be compressed 
into p = (T), r}, pi )iew an w-indered depth-increasing u;MALL?? mcut-reduction 
sequence which converges to 7'/* and contains the same reductions as o°. By 
Proposition 36, p may not be fair: this prevents us from concluding directly 
by Proposition 33 but we can still conclude. Let us consider p; a fair reduction 
sequence obtained from p by reducing those redexes which cause the lack of 
fairness of p and let us consider the limit of pf, mf. To any infinite branch p of 
7/*, one can associate a branch By of wp: it coincides with 8 except when the 
next inference of 8p is on a (! )* (in a sequent, say, H (1)*,?* A* which is not 
principal along 5). In that case, we expand 8p by following the unique premise 
of the (v) rule, the second premise of the first (&) rule and the first premise 
of the second (&) rule, reaching F 1,?* A*, in which case we know that the 1 
is not principal (and never will be) and we follow back 5. 8; has exactly the 
same threads as (3: finite threads may only be extended finitely on occurrences 
of (! F)*. Since p; is fair, By is valid and so is f. 

We can then conclude that 7’? is cut-free and valid and, using preservation 
of validity (Proposition 33), that 7' is a valid cut-free uLL*?-proof. 


Infinitary cut-elimination for LL two-sided sequent calculus is an easy 
corollary of Theorem 27. Indeed, fair cut-reduction sequences in two-sided jLL?? 
are mapped to fair reduction sequences in one-sided uLL?? from which follows: 


Corollary 39. Fair 2-sided uLL® valid mcut-reduction sequences eliminate 
cuts. 
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4 Cut-Elimination Theorem for wLK® and pwLlJjJ* 


Cut-elimination theorems for both wLK° and uLJ® can be established as corol- 
laries of Theorem 27. For lack of space, we directly go to our results and postpone 
to future work a detailed study of the generalizations to non-wellfounded sequent 
calculi of the linear embeddings of LK and LJ into LL developed since Girard 
seminal paper. We shall comment on those translations in the conclusion. 


4.1 pLK*?? Cut-Elimination: Skeletons and Decorations 


To any uLL*? formulas and uLL® proofs, one can associate their skeletons, that is 
corresponding wLK® formulas and proofs, after erasing of the linear information: 


Definition 40 (Skeleton). Sk(A) is defined by induction on A € gLL?*: 


Sk(A@ B) = Sk(A) ^ Sk(B) | SkLA'GB) = Sk(A) V Sk(B)| Sk(1 A) = Sk(A) 
Sk(A&B) = Sk(A) ^ up ) KA @ B) = Sk(A) V Sk(B)|Sk(? A) = KA) 
Sk(1) = Sk(T) = Sk(L) = Sk(0) =F Sk(a) = 
Sk(A — B) = Sk(A) > p )| Sk(o X.A) = o X.Sk(A) Sk(X) = x 


with o € {u,v}. 

Given a 2-sided uLL® pre-proof x of T - A with last rule r and premises 
(Ti)i<i<n, Sk(n) is the uLK?? pre-proof of Sk(I) + Sk(A) defined corecursively, 
by case on r: (i) ifr € ((1p), (2d)}, Sk(x) = Sk(m1); (ii) otherwise, apply the 


uLK™® rule corresponding to r with premises (Sk(mi))1«i«n. 
Proposition 41. Sk(-) transports valid uLL*?-proofs to valid wLK® proofs. 
LL K?? cut-elimination follows from the existence of uLK?? linear decorations. 


Proposition 42. For any wLK® sequent s and any uLK® proof m of s, there 
is a linear decoration of v, that is a pLL® proof n? such that Sk(n7) = T. 


Definition 43 (uLK^??cut-reduction). j4LK?? mcut-reduction relation is 
defined as follows: — pike = ((Sk(n), Sk(1^)) | v — neu T & TET}. 


Theorem 44. uLK® enjoys cut-elimination. 


4.2  uLJ?? Cut-Elimination 


The linear decoration for uLJ?? is simply Girard's call-by-value translation [21] 
extended to fixed-points on formulas and proofs as follows: 


Xp =!X; [uX. FJ — !uX.[FJ; WX.F] =X FV. 
in} 
TF F[eX.F/X] NS FIDE ut (») and 
—TFrexr (? rr H TAEK "m 
[I F [o X.F]i 
[r]/ 


B T 
D,FleX.F/X]- G 
DLoX.F-G 


[P [FP [eX [FY / X], - [Gy 
Ij,cX.[F]/ + [ay 


TY, [o X.F] + [GP 
The translation is consistent with wLJ°°- and wLL°-positivity conditions. 


(m) 


(!di) 
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Definition 45 (ulLL?*). ulLL formulas are defined inductively as: 
IJ:-—a|!X|I—-eJ|I&J|IOoJ|T]|0|uX.I|vX.I|M. 

A plLL sequent is a sequent of nlLL formulas with exactly one formula in the 
succedent. A pILL® proof is a uLL® proof containing only ILL sequents. 


The translation preserves validity, following from [X] = ! X, by induction. 
Lemma 46. The following hold: 


- For any uLJ formulas A, B, o € {u,v}, [Ale X.B/ X]? = [Al [o X.[B] / X]. 
- For any uLJ formula A, [A]? is a ulLL formula. 
- If is a uLJ?? proof of I' - F, then [| is a ulILL& proof of [I] + [F]. 


On pILL® proofs, the skeletons of the previous section can be reused: Sk(-) 
transports valid ILL proof to valid uLJ°° proofs. Moreover ulLL?? proofs are 
closed by 4LL°° cut-reductions from which we deduce, as for wLK®, that: 


Theorem 47. uLJ® enjoys cut-elimination. 


5 Conclusion 


In the present paper, we established several cut-elimination results for non- 
wellfounded proof systems for logics with least and greatest fixed-points expand- 
ing on previous works [4,20]: (i) for MALL with sequents as lists in con- 
trast sequents as sets of locative occurrences [4], (ii) for the 1-sided and 2-sided 
sequent calculi of uLL?*, (iii) for uLK?? and (iv) for uLJ®. We also established 
additional results from a compression lemma for uu MALL?? strongly converging 
cut-reduction sequences to linear embeddings of uLK?? and uLJ® into uLL?*. 


On the Meaning and Expressiveness of Tree-Exponential Modalities. The proof 
of our main result proceeds by encoding LL exponentials in | MALL*? following an 
encoding first considered by Baelde and Miller, and studying uLL?? cut-reduction 
sequences through their simulation in uMALL*??, which was first conjectured in 
Doumane's thesis [18]. We think that the present paper does not only demon- 
strate the usefulness of the encoding but that it also suggests new questions. 
Indeed, this encoding has interesting features: 


— this “rigid” tree-like exponential does not exhibit the Seely isomorphism but, 
even though those isomorphisms are common in axiomatizations of categorical 
models of linear logic, it is not necessary to have them as isomorphisms to 
build a denotational model of linear logic (that is, which quotients proofs up to 
cut-equivalence): the present work is actually an example of this fact. (They 
are crucial, though, to encode the A-calculus in linear logic, as additional 
equations are needed, which are realized by Seely isos.) 
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— These exponentials allow for a realization of a somehow non-uniform promo- 
tion: indeed, while a proof of + !* F,?* I" has to provide a proof of F F,?* T, 
the circular definition of the promotion is not the only possible definition: 
one can consider as well promotions that would provide a distinct value each 
time a box is opened (e.g. a proof of F !*uX.1 @ X may provide distinct 
integers depending on how structural rules managed the resource). See [30] 
for a detailed discussion. 


This tree-like exponential is being investigated with Ehrhard and Jafarrahmani. 


Benefiting from Advances in Infinitary Rewriting. Our cut-elimination proof by 
encoding uLL?? into MALL” relies on a simulation of reductions sequences 
which makes use of transfinite reductions sequences and compression results. 
Those techniques are inspired and adapted from the literature on infinitary 
rewriting. We plan to make clearer the connection between non-wellfounded 
proof theory and infinitary rewriting in the future, even though in the present 
state it was not possible to readily apply results from infinitary rewriting such 
as the compression lemma which we has to reprove in our setting [31]. Moreover, 
we did not make use of coinductive formulations of infinitary rewriting [19]. That 
is another direction for future work: currently, we do not know how to use those 
formulations of infinitary rewriting because the sequences we consider by simu- 
lation are not given as (strongly) converging sequences. We plan to reconsider 
this and benefit from the coinductive approach to infinite reduction sequences. 


On Linear Translations for Fixed-Point Logics and Non-Wellfounded Proofs. 
We obtained a cut-elimination theorem for uLK?? and uLJ® thanks to linear 
translations which deserve some comments. While the linear translation used for 
pLJ° is standard (it is a call-by-value translation dating back to Girard’s seminal 
paper), the treatment of classical logic was more complex. Indeed, usual linear 
translation for classical logic introduce, at places, cuts. Due to the sensitivity 
of the straight-thread validity condition with respect to the presence of cuts 
in cycles, we could not use those translations. However, we plan to investigate 
whether a more standard translation can be used in the specific case of bouncing 
validity [3]. 


A Treatment of Cut-Elimination Which Is Agnostic to Validity Conditions. 
Last but not least, a major advantage of our approach is that “MALL® cut- 
elimination proof and, to some extent, the validity conditions, are regarded as 
black boxes, simplifying the presentation of the proof and making it reusable 
wrt. other validity condition or pMALL® proof techniques. The proof seems to 
be reusable easily with bouncing validity for instance (even though setting up an 
adequate definition of bouncing validity for uLL?? is quite tricky). A fragment 
which seems promising and that we wish to investigate in the near future, is 
LI MELL*?? equipped with bouncing validity [3]. 
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Abstract. We introduce ill-founded sequent calculi for two intuitionistic 
linear-time temporal logics. Both logics are based on the language of intu- 
itionistic propositional logic with ‘next’ and ‘until’ operators and are eval- 
uated on dynamic Kripke models wherein the intuitionistic and temporal 
accessibility relations are assumed to satisfy one of two natural confluence 
properties: forward confluence in one case, and both forward and back- 
ward confluence in the other. The presented sequent calculi are cut-free 
and incorporate a simple form of formula nesting. Soundness of the calculi 
is shown by a standard argument and completeness via proof search. 


Keywords: Sequent calculus - Intuitionistic logic - Temporal logic - 
Ill-founded proofs 


1 Introduction 


Intuitionistic modal and temporal logics have found tangible applications in com- 
puter science [7,9,12,13,16,22] and with that comes the motivation for devel- 
oping succinct proof systems that facilitate establishing fundamental properties 
such as decidability and algorithmic proof search. Temporal logic describes a 
range of modal logics in which modal and ‘fixed point’ operators are interpreted 
as temporal relations. An important example is linear-time temporal logic LTL, 
whose temporal operators include a ‘next’ operator X and an ‘until’ operator U. 
The formula XA is interpreted as ‘A is true in the next time-step’, and AU B as 
‘A is true until B is true’. The until operator satisfies the equivalence 


AUB iff BY(AAX(AUB)), 
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showing that AU B is a fired point of the propositional function p => BV(AAXp). 

Advances in the proof theory of temporal logics evidence that ill-founded cal- 
culi are particularly suitable for capturing the behaviour of fixed point operators 
in a syntactic way [1,8,10, 15]. So far, the study of such proof systems has focused 
on classical logic and their applicability to intuitionistic temporal logics remains 
largely unexplored. One of the obstacles in directly applying the techniques from 
the classical setting is the interaction of the temporal and intuitionistic relation 
in the intuitionistic Kripke semantics. 

A standard way to present the semantics of intuitionistic propositional logic 
is in terms of Kripke models (W, €, V), where < is a partial order on the set 
of worlds W and V a valuation that is monotone in €. A key property of this 
semantics is the monotonicity lemma: for all v,v' € W, if v < v’ and v H A 
then v’ = A. The semantics of intuitionistic modal/temporal logics can be given 
in terms of intuitionistic Kripke models (W, €, V) equipped with an additional 
relation R on W used to interpret the modal operators. In order to keep the 
monotonicity property, modalities are interpreted as follows. 


wEOA iff Vw > w Vv(w' Rv implies v = A) 
wEOA iff Vw > wa3v(w Rv and v E A) 


One can also use the classical truth conditions for modalities and instead impose 
confluence properties on R and < to ensure monotonicity. Two confluence prop- 
erties considered in the literature are: 


Forward confluence ifv > w and wRu/ then there exists v’ > w' with v Rv.. 
Backward confluence if wRw’ and w’ < v’ then there exists v > w with vRv’. 


In the setting of intuitionistic LTL, forward confluence alone suffices to obtain the 
monotonicity lemma [3]. Since Simpson [20] argues that an intuitionistic reading 
of possible world semantics results in models that also satisfy backward conflu- 
ence, intuitionistic modal logic is generally used to refer to the logic obtained 
when adopting both conditions. Nevertheless, logics corresponding to weaker 
frame conditions, often called constructive modal logics, have also received con- 
siderable interest (see e.g. [2,23]). 

In this work, the language of linear temporal logic is interpreted over models 
satisfying forward confluence and models satisfying both forward and backward 
confluence; following the terminology in [3], they are referred to as expanding 
and persistent models, respectively. To date, neither logic has been given a sound 
and complete axiomatisation.! For each of the resulting logics, we present a cut- 
free, ill-founded sequent calculus. Both calculi employ a simple form of nested 
sequents so that formulas can be operated on at different temporal steps. This 
form of nesting has been used by Kojima and Igarashi [14] to obtain a finitary 
calculus for a constructive interpretation of LTL without the until operator. 

A standard technique for showing completeness of an ill-founded calculus is 
to set up a proof search game between two players, Prover and Refuter, such 


1 A Hilbert-style axiomatisation exists for the ‘eventually’ only fragment over expand- 
ing models [5] but the case of persistent models is unknown. 
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that a winning strategy for Prover corresponds to a proof and a winning strategy 
for Refuter to a countermodel (see e.g. [1,19]). When applying this technique to 
the intuitionistic case, one needs to ensure that the constructed ‘countermodel’ 
satisfies the required frame conditions. We present such a proof search game 
for both logics. The use of nested sequents is crucial for the game as it enables 
postponing the application of non-invertible rules until all relevant information 
about future time steps is determined. 

Intuitionistic temporal logics have been studied in different contexts, the most 
notable of which are metaprogramming and topological dynamics. The former 
involves the addition of temporal operators to A-calculi with the aim of modelling 
aspects of metaprogramming such as staged computation (see e.g. [7,21,24]). The 
latter concerns the use of intuitionistic temporal logics to reason about dynami- 
cal topological systems. Fernández-Duque [11] introduced the logic ITL‘, in which 
formulas of LTL are interpreted in general topological models, and showed that 
its restriction to the ‘eventually’ operator ¢ is decidable.? Boudou et al. [4] show 
the decidability of the same fragment interpreted in expanding models, denoted by 
ITL*, and provide a Hilbert-style axiomatisation for both logics in [5]. A calculus 
with w-branching inference rules is given in [6] for ITL* extended with the ‘hence- 
forth' operator. 'To date, no recursive axiomatisation of the validities in persistent 
models is known. 


Outline. Section 2 introduces the syntax and semantics of intuitionistic linear 
temporal logic iLTL. Section 3 presents the proof system iLTL2**5, which is proven 
sound and complete with respect to expanding models in Sects.4 and 5. In 
Sect. 6, we outline how iLTL2** can be adapted to obtain a system iLTLp** that 
is sound and complete with respect to persistent models. 


2 Syntax and Semantics 


Fix a countable set Prop of atomic propositions. Formulas of iLTL are defined 
inductively as follows: 


A,B: =1|p|AAB|AVB|A—B|XA|AUB 


where p € Prop. We denote formulas by A, B, etc., and atomic propositions by 
p,q, etc. We define the formula X” A inductively by X9A :— A and X^*1A := 
X X" A. 

Formulas of iLTL are evaluated on dynamic models, which are intuitionis- 
tic Kripke models equipped with a time function that maps each world to its 
temporal successor. 


Definition 1. A dynamic model is a tuple M — (W, €, f, V) where 


1. W is a non-empty set, 
2. € is a partial order on W, 
3. f: W — W is a function and 


2 In our notation, the eventually operator © can be defined as 0A := T U A. 
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v 
1 
uw 


1 Flv) v o f 


Fig. 1. Forward and backward confluence. 


4. V: W —> P(Prop) is a valuation function that is monotone in €, i.e., for 


all w,v € W, if w € v, then V(w) C V(v). 


Elements of W are called worlds. If w,v € W such that f(w) = v, then v is 
called the temporal successor of w. If w < v, then v is called an intuitionistic 
successor of w. We inductively define f°(w) := w and f"*!(w) = f(f"(w)). 

Given a dynamic model M = (W, €, V, f), the truth relation M,w |} A where 
w € W is defined inductively on A as follows. 


M,w E L 

M,w p iff p € V(w), 

M,wEAAB iff M,w E Aand M,w E B, 

M,wEAVvB iff M,wE Aor M,w E B, 

M,w E A — B iff for all v > w if M,v E A, then M,v E B, 

M,wEXA iff M, f(w) E A, 

M,wE AUB iff there exists an n < w such that M, f” (w) = B and for all 
m <n we have M,f™(w) E A. 


Validity and satisfiability over a class of dynamic models are defined in the 
standard way. 

We consider dynamic models that satisfy certain confluence properties, 
namely forward and backward confluence, which are illustrated in Fig. 1. 


Definition 2. A dynamic model M = (W, <, f, V) is 
- expanding if M is forward confluent: for all w,v € W, 
ifw € v, then f(u) < Flv), 
— persistent if M is expanding and backward confluent: for all w,v' € W, 
if v' > f(w), then there exists v > w with f(v) =v". 


We denote by iLTLe and iLTL, the set of iLTL-validities over expanding and 
persistent models, respectively. It is easy to check that the temporal version of 
the K-axiom, namely X(A — B) — (XA — XB), is valid over expanding models. 
The converse (XA — XB) — X(A — B) is only valid over persistent models, 
and so we have iLTL, C iLTLp. 

With a straightforward induction, one can prove the monotonicity lemma for 
expanding models. Note that the lemma thus also holds for persistent models. 


Lemma 1. Let M = (W,<,V,f) be an expanding model, w,v € W and A a 
formula. If M,w = A and w € v, then M,v = A. 
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3 Nested Ill-Founded Proofs 


In this section we present an ill-founded sequent calculus that is sound and 
complete with respect to the class of expanding models. Proofs in this calculus 
are finitely-branching trees that admit infinitely long branches. Importantly, the 
calculus has no explicit induction rule and does not make use of the cut-rule. 

To ensure soundness, infinite branches are required to satisfy a global sound- 
ness condition, which is presented in a standard way using formula traces. To 
ensure completeness, the calculus incorporates a simple form of nesting. 


Definition 3. A nested iLTL-formula is a tuple (A,n), denoted by A”, with A 
an iLTL-formula and n < w. A sequent is an ordered pair (I, A), written as 
I' — A, where l and A are finite sets of nested formulas. 


For the remainder of this paper we call nested formulas simply formulas. For- 
mulas that are not nested are called plain. Observe that sequents l = A may 
contain multiple formulas in A, i.e. we consider a multi-succedent calculus. The 
intended interpretation of a nested formula A" is the plain formula X" A. The 


interpretation of a sequent AT" ,..., A^ > Bj',..., Bj" is the plain formula 
A X?" A; = V Xs Bj 
1<i<k 1€j«l 


We write M,w = A" if M,w E X"A and M,w EI => A if M,w satisfies the 
interpretation of [ = A. For any set I" of nested formulas, we define L^! = 
{Arti A" ET}. 


Definition 4. The sequent calculus iLTL2*** consists of the rules in Fig. 2. Rules 
without premises are called axioms. 


The propositional rules of iLTL2** are based on the multi-succedent calculus 
G3im from Negri and von Plato [18] and the nesting is inspired by the work 
of Kojima and Igarashi [14]. The rule —L differs from the presentation in Negri 
and von Plato insofar that there is no weakening in the left premise, resulting 
in invertibility of —L. The choice to use a multi-succedent instead of a single- 
succedent calculus is motivated by the former's better compatibility with proof 
search. Observe that the rule —R has only a single formula in the succedent of the 
premise, ensuring that the law of excluded middle is not derivable. Moreover, >R. 
can only be applied to implications with nesting level 0. Relaxing this restriction 
by allowing implications of arbitrary nesting depth is unsound for expanding 
models but sound and complete for persistent models (see Sect. 6). 

The U-rules capture the equivalence AU B = BV(AAX(AU B)) and the 
‘shift’ rule S captures modal necessitation. The rules XL and XR are purely 
structural as XA” has the same interpretation as A"*!. Moreover, note that all 
rules except S and —R are invertible in the sense that the conclusion is valid 
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PAs aa PISA 
T,A”, B" >A D—A4^5,A r>B",A 
—— ———À AL z ^R 
T,ANB" >A T>AAB",A 
PA" >A DLB*^—A i Tr > A",B",A 
LAVB'SA ~“ Ts Aves aA VR 
DA—B"—A"A DLB"—4A Tr, A? > B° 
>L =. qe CE 
I,A—B"-A D AB,A 
DA" LA " T > A" A " 
LXA SA Txara XR 
DLB*"—A DLA'^X(AUB) A T => B” A”; A T= B"X(AUB)5A 
T,AUB” SA MB r= AUBA MS 
DA 


5, > AUT 


Fig. 2. Rules of the system iL TL2**. The symbols T, A, X and II range over arbitrary 
finite sets of nested formulas which may be empty. 


if and only if the premises are.? We will therefore refer to S and —R as the 
non-invertible rules and to all other rules as the invertible rules. 

It will be helpful to refer to formulas according to their role in a particular 
rule application. For each rule, the distinguished formula in the conclusion is 
called principal and the distinguished formulas in the premises are called its 
residuals; for example, in —L the principal formula is A — B” and its residuals 
are A — B", A" and B". In S, all formulas in the conclusion are principal and 
each formula in the premise is the residual of its corresponding principal formula; 
in particular, formulas in X and II have no residual. In every rule application, 
any formula that is neither principal nor residual is called a side formula. 

A derivation in iLTL&** of a sequent c is a finite or infinite tree whose nodes 
are labelled according to the rules of iLTL2*** and whose root is labelled by 
c. We will read trees ‘upwards’, so the nodes labelled by premises are viewed 
as successors of the node labelled by the conclusion. A path through such a 
derivation T is a finite or infinite sequence po, p1,... of nodes of T such that for 
each index 4, pi+1 is a direct successor of p; in T. 


Definition 5. Let p be a path through a derivation T. A (formula) trace on p 
is a finite or infinite sequence of nested formulas Ag, A1,... such that for each 
index à the following hold. 


1. Aj occurs on the left-hand side of the sequent labelling pi; 


3 This is a semantic notion of invertibility. The syntactic invertibility of these rules, 
meaning that the conclusion is provable if and only if the premises are, will follow 
from soundness and completeness. 
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2. if A; is a principal formula in the rule applied at pi, then Aj41 is a residual 
formula of Aj in pii; 
3. if Aj is a side formula in the rule applied at pi, then Aj41 = Ai. 


For any rule R, we say that a trace (A;); actively passes through R if there is an 
index j such that A; is a principal formula in an application of R. 


Definition 6. A formula trace is good if it actively passes through infinitely 
many applications of the rule UL. 


'The following lemma describes a straightforward yet key property of good for- 
mula traces. 


Lemma 2. If (Aj); is a good formula trace, then there is a plain formula of the 
form AU B and some j < w such that for all k > j, Ay is of the form AU B™ 
or X(AU B)"* for my < w. 


A proof in iLTL2** is defined as follows. 
Definition 7. An iLTLE**-derivation T of a sequent o is a proof of o if 


1. every leaf in T is labelled by an axiom; 
2. every infinite branch of T contains an infinite path that has a good formula 
trace. 


4 Soundness 


This section establishes soundness of iLTLE*** with respect to the class of expand- 
ing models. The proof proceeds via a standard argument using signatures: maps 
that associate a natural number to each ‘relevant’ formula in a sequent o. We 
assume towards a contradiction that there is a proof 7 of an invalid sequent o. 
Then, using a countermodel of c, we find an infinite path p of invalid sequents 
in 7 and assign a signature to each of them. By ensuring that these signatures 
never increase and decrease when passing through the UL-rule, it then follows 
that a good formula trace on p corresponds to an infinite descent of natural 
numbers. The aforementioned ‘relevant’ formulas are called eventualities. 

For a sequent c, let I, and A, denote, respectively, the left-hand and right- 
hand side of c. 


Definition 8. An eventuality is a formula of the form X? (AU B)" with n, j < w. 
Given a sequent o, a formula E is an eventuality of o if E is an eventuality 
occurring in I. 


Let U* be the operator defined inductively by A U? B = B and A U^*! B = 
A ^ X(AU*B). For an eventuality E = X/(A U B)" and k < w define 


E|k] := X? (A U*B)”. 


Given a sequent c, a signature for o is a map T which assigns a natural number to 
each eventuality of c. By I5 [7] we denote the set obtained from I, by replacing 
each eventuality E with E[r(E)]. Furthermore, we let o|r] denote the sequent 
Ilr] => Ae. 
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Theorem 1. Every sequent provable in iLTLas* 


ing models. 


is valid over the class of expand- 


Proof. Let m be a iLTL8**-proof of & and suppose, for contradiction, that o is 
not valid. Let M = (W,<,f,V) be an expanding model and w € W such that 
M,w |‘ c. For brevity, we will identify each node in m with the sequent that 
labels it. 

We will inductively define a path (ci); of sequents through 7, a sequence of 
worlds (w;); in M and a sequence of signatures (7;); such that the following hold 
for every à < w: 


1. 7; is a signature for cj; 
2. wi A To [ri] and w; j£ V Ac, (and thus w; [£ c;[7;] and w; £ ci); 
3. for every eventuality E of c;, the following hold: 
(a) 7;(£) is the least natural number k such that w; = E[k]; 
(b) if E is a side formula in the rule application with conclusion c;, then E 
is an eventuality of c;,1 and 7;41(E) € r;(£). 


We define (c;);, (wi); and (Ti); as follows. 

Set co = c. Since w j ø, there exists a v > w such that v E AI, and 
v EV As. Set wo = v and for every eventuality E in I5, define 79(E) to be the 
least k such that wo = E[K]. 

Suppose o;, w; and 7; are given. We use a case distinction based on the rule 
applied at o; in m (i.e. the rule that has c; as conclusion). Note that this rule 
cannot be an axiom, since w; |^ o;. We only show the cases —R, XL, S, and UL; 
the other cases are treated in a straightforward way. 


—R Suppose o; = ( => A — B9, A) with A — B? principal in the rule appli- 
cation. Let c;,1 = (T, A? > B). Since w; 4 A — B°, there exists a 
Wi41 > w; such that w;,1 = A? and wiii B®. For any eventuality E 
in T U (49), let 7:41 map E to the least k such that w;41 H E[k]. Since 
Wi+1 > wi, by monotonicity (Lemma 1) we have 7;41(£) € r;(E) for each 
eventuality E in I’. 

XL Suppose co; = (I, XA"? = A) with XA” principal in the rule application. 
Let oj41 = (T, A**! > A) and wi = w;. If A"*1 is an eventuality, define 
T41(A"*!) := r;(XA"). On other eventualities, 7,41 acts as 7;. 

S Suppose c; = (X, P+! = At, TI) such that I' > A is the premise of the rule 
application. Let o;41 = (P > A), wig = f(wi) and r;44(A") = n; (A**) 
for every eventuality A" in I. 

UL Suppose c; = (T, AUB” = A) with AUB” principal in the rule application. 

If Ti (A U B") = 0, let Oir] = (T, B” > A) and Wr] = Wi. If B" is 
an eventuality and not in I, let 741 map B" to the least k such that 
wi+1 = B"[k]. On other eventualities, 7;,1 acts as 7;. 
Alternatively, if (A U B") > 0, let e;44 = (I; A", X(AU B)" = A) and 
Wwi+ı = wi. If A" is an eventuality and not in I, let Ti41 map A” to the 
least k such that wi41 = A"[k]. Define 7;41(X(A U B)") = 7;(A U B") — 1. 
On other eventualities, 7;,1 acts as 7;. 
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It is easy to verify that (c;);, (wi); and (Ti); satisfy properties 1-3. 

Since 7 is a proof, the infinite branch (c;); must contain a good trace (Aj) i>; 
starting in some sequent cj. By Lemma 2, we may assume that this trace only 
passes actively through the rules XL, S and UL, and it cannot pass through 
the latter in a degenerative way.* Now consider the infinite sequence (7;(A;))i>; 
of natural numbers. Note that, by property 3(b), if A; is a side formula then 
Ti+1(Ai+1) € T;(A;). Moreover, if A; is principal in an application of XL or S then 
7i41(Aj4i1) = 7;(A;), and if A; is principal in a (non-degenerative) application 
of UL then 7;41(Aj4+1) < 7;(A;). As the trace is good, the latter case occurs 
infinitely often, and so we obtain an infinite, strictly decreasing sequence of 
natural numbers and thereby a contradiction. 


5 Completeness 


This section establishes completeness of iLTL2**t with respect to the class of 
expanding models. For each sequent o we construct an infinite two-player game 
between Prover (Prov) and Refuter (Ref) such that a winning strategy for Prov 
corresponds to a proof of g and a winning strategy for Ref to the existence of a 
countermodel for c. The game will be played on a proof search tree, which is a 
finitely branching, ill-founded tree that presents a systematic search for a proof 
of c. In this tree, non-invertible rules will only be applied to saturated sequents. 


Definition 9. A sequent I' => A is left-saturated if the following hold. 


if AN B" €T, then A^, B" ET; 

if AV B" ET, then A^ Er or B" ET; 

if A— B” €T, then A^ c Aor B" ET; 

if XA" € D, then A"** ET; 

if AU B" ET, then there exists an m > n such that B" € T and A} € T for 
all n € k « m. 


as $6 No n 


The sequent is saturated if, in addition, 


6. if ANB" € A, then A^ € A or B^ € A; 

7T. if AV B" € A, then A^, B” € A; 

8. if XA" € A, then A1 € A; 

9. if AU B? € A, then B^, A? € A or BP,X(AU By? e A. 


Given a sequent a, we say that a formula ¢ is saturated in o if c satisfies the 
relevant saturation clause for ©. 


Note that the saturation clause for right U-formulas is restricted to the zeroth 
nesting level. The saturation clause for left U-formulas is needed to ensure that 
the valuation of the countermodel constructed from a failed proof search is mono- 
tone. This will become evident once we define such countermodels later in this 
section. 


4 Formally, a trace (A;); passes degeneratively through UL if there is an A; of the form 
AU B" such that Aj41 € (A", B"). 


232 B. Afshari et al. 


As we are working with set sequents, formulas can simultaneously function 
as principal and side formulas. To avoid creating infinite branches with no good 
trace, one needs to be explicit about how rules may be applied in the proof 
search tree. We call an application of a rule succinct if the principal formula(s) 
is not also a side formula, and preserving if the principal formula(s) is also a 
side formula. For example, an application of XL of the form given in Fig. 2 is 
succinct if XA" ¢ I’ and preserving if XA" c I’. Rule applications of —R and 
S are always succinct. Note that succinct and preserving are dual notions; we 
find it useful to refer to them as separate concepts as they each highlight a key 
property of the proof search tree. 


Definition 10. A proof search tree T' for a sequent c is a finite or infinite 
tree whose nodes are labelled according to the rules of iLTL&°* and in which the 


following holds. 


The root of T is labelled by c. 

A node of T is a leaf if and only if it is labelled by an axiom. 

Every left rule application is succinct. 

Every right rule application except —R is preserving. 

No invertible rule is applied to a sequent in which the principal formula is 
already saturated. 

6. Instead of the rules >R. and S, we have the rule 


SR $5 fo on 


YTH A SB? nao LAS Bl FSA 
X,pHu > (Ao — Ba) ess (Ak — By) rt Al 


where it is required that every formula in X UII is of nesting level 0, II does 
not contain a formula of the form A — B? and the conclusion is a saturated 
sequent. We call the premises of the form X, T}, A? = B? the left premises, 
and I = A the right premise of C. 


The ‘choice’ rule C represents a choice between non-invertible rules that Prov has 
to make once the sequent is saturated. Note that the empty sequent is saturated; 
an empty sequent in a proof search tree can only be the conclusion of a C-rule 
and has another empty sequent as its only direct successor. 

Given a sequent c, one can build a proof search tree as follows. First try 
to saturate all left formulas by succinctly applying invertible left rules. If a 
left-saturated sequent is obtained, saturate all right formulas by preservingly 
applying invertible right rules, then apply C and start over. Observe that it is 
possible that some branches in a proof search tree do not contain a saturated 
sequent due the fifth saturation clause. 

'The following lemmas describe some key properties of proof search trees. For 
a node s in a proof search tree, we write T; = A, to denote the sequent labelling 
the node s. 


Lemma 3. If T is a proof search tree wherein s € T is the conclusion of a 
C-application with right premise t € T', then the following hold. 
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1. t is labelled by a left-saturated sequent; 
2. ifr >t and no C-application occurs between t and r, then I = I. 


Lemma 4. Every infinite branch of a proof search tree T' contains infinitely 
many applications of UL or C. 


Proof. Let (pi)icx be a branch of T (where A < w). Suppose there exists a suffix 
(pi)j<i<, that contains no applications of UL or C. Due to property 3 to 5 of 
the proof search tree, there exists a k > 7 such that all formulas except for left 
U-formulas will be saturated in oz. The only rules which may be applied at that 
point are UL or C, showing that (p;);<, must be finite. 


Lemma 5. Every infinite branch of a proof search tree T' that contains only 
finitely many C-applications has a suffix with a good formula trace. 


Proof. Let 6 be an infinite branch of T with finitely many C-applications. Let p 
be a suffix of @ that starts after the last C-application. By the previous lemma, 
p must contain infinitely many applications of UL. We show that p contains a 
good trace. 

Consider the tree T, of formula traces on p (add a fresh node as the root). 
Now let T5 be the tree obtained from T, by identifying consecutive nodes that are 
labelled by the same formula. Note that T; cannot be finite, since p must contain 
infinitely many applications of UL and this rule may not be applied to formulas 
that also function as a side formula. By König’s lemma, T, contains an infinite 
branch. Note that this branch corresponds to an infinite formula trace (A;); on 
p that does not stagnate on a side formula, that is, (A;); actively passes through 
a left rule infinitely often. Property 3 to 5 of the proof search tree and absence of 
C-applications then imply that (A;); actively passes through UL infinitely often. 


We are now ready to define the notion of a refutation which corresponds to a 
winning strategy for Ref. 


Definition 11. A refutation of a sequent c is a subtree R of a proof search tree 
T for o such that the following hold. 


1. R contains the root of T. 

2. Every branch of R is infinite. 

3. If a node s in R is (labelled by) the conclusion of an application of C in T, 
then R contains all direct successors of s in T. 

4. If a node s in R is (labelled by) the conclusion of an application of any rule 
other than C in T, then R contains exactly one direct successor of s in T. 

5. No infinite branch of R contains a path with a good formula trace. 


Note that the final condition above together with Lemma 4 implies that every 
branch in a refutation must contain infinitely many applications of the C-rule. 


Proposition 1. Every sequent with a refutation has an expanding counter- 
model. 
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The proof of the above proposition is provided in the following section. For 
now, we turn to defining the proof search game which is instrumental in the 
completeness proof. 

Given a sequent c and a proof search tree T for e, the proof search game 
G(T, co) is defined as follows. The game is played by two players Prov and Ref. 
The arena of the game is the proof search tree T'. Each play starts in the root of 
T, which is labelled by ø. If the current play is in position t, where t is a node of 
T, and t is owned by player P € (Prov, Ref}, then P plays by choosing a direct 
successor of t in T. Prov owns all positions that are conclusions of applications 
of the C-rule while every other position is owned by Ref. If a play reaches a node 
that has no successors (i.e. an axiom), then the play ends and is called finite; 
otherwise the play is called infinite. Observe that every play directly corresponds 
to a branch of T. The winning conditions are as follows: finite plays are won by 
Prov and infinite plays are won by Prov if the infinite branch of T' to which the 
play corresponds contains a good trace, and won by Ref otherwise. We make use 
of the standard notion of a (winning) strategy for players. The following lemma 
is then a straightforward consequence of the winning conditions of the game 


C(T, oc). 


Lemma 6. If there is a winning strategy for Prov in G(T,o), then o has a 
iLTL8S5 -proof, and if there is a winning strategy for Ref, then o has a refutation. 


As the set of winning plays (for each player) is Borel, it follows from Martin's 
determinacy theorem [17] that the game G(T, c) is determined for any sequent 
c and proof search tree T'. That is, exactly one player has a winning strategy 
in G(T, c). As every sequent has a proof search tree, completeness of iLTLg** is 
then obtained as a direct consequence of Proposition 1 and Lemma 6. 


Theorem 2. Every sequent valid over the class of expanding models is provable 
in iLTLgs*. 


5.1 Proof of Proposition 1 


Let R be a refutation of c. Recall that, for any node s € R, I3 = A, denotes 
the sequent labelling s. We define a dynamic model M = (W, €, f, V) as follows. 


1. W = R/~, where s ~ t iff there exists a path between s and t in which no 
C-application occurs. 
2. Define the function f by 
f(w) = v iff there exist s € w and t € v such that s is the conclusion 
and t is the right premise of the same C—application. 
Note that f is a total function, since every branch of R contains infinitely 
many C-applications and every C-application has a right premise. 
3. First define the relation <q on W by 
w X v iff there exist s € w and t € v such that s is the conclusion 


and t a left premise of the same C—application. 
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Then let < be the transitive reflexive closure of the relation 
<1 = {(f"(w), f"(v)) : w <o v and n < w}. 


4. Define the valuation by V(w) = {p € Prop: p? € Tu} where Ty = Uscu T. 


sew sS 


Similar to I; we write A, for U A 


sew TS 


Lemma 7. M is an expanding model. 


Proof. Forward confluence follows directly from the definition of <,. For mono- 
tonicity of the valuation, note that it suffices to show that the relation «€ is 
monotone in V. In the following, we write [t] for the equivalence class of t with 
respect to ~. 

Let w,v € W with w x v. Then there exist n « w and s,t € R such that 
w = f"([s]), v = f"([t]) and t is a left premise of a C-application on s. Note 
that this means that w is reached from [s] by applying the C-rule n times while 
always taking the right premise, and similarly for v and [t]. From Lemma 3 and 
definition of C, it follows that for any atomic proposition p, 


p? € T'pn([s]) implies p" € Ij, (1) 
pve Iu implies p € Ltn (2) 


So we have the following chain of implications 
(1 5 3 (2 
p € ys qq SÈ p^ € Dg — p” € Ig B p? e Tp 


where the middle implication follows from the definition of C. This shows V(w) € 
V(v) as required. 


Lemma 8. For any w € W, we have M,w = ATu and M,w [E V Aw. 


Proof. Let A be a formula. By induction on the logical complexity of A, we 
simultaneously prove that for any w € W and n < w we have (a) w = A” if 
A” € Iw and (b) w [£ A" if A" € Ay. 

We only treat the propositional case and the connectives — and U. The 
proof relies on the C-rule being applied only on a saturated conclusion. Thus 
the sequent I, = A is saturated for every w € W. 

We begin with (a). Suppose A" € I;,. If A € Prop, then A? € Tyr) and 
thus w = X* A. If A = BU C, by saturation there exists an m > n such that 
C" € Ty, and B^ € DL, for all n < k < m. Thus w E A” by the IH. This leaves 
the case A — B — C. Let s € w be the (unique) conclusion of a C-application. 
By definition of —L, we have C" € I, or B — C" € I. In the first case, 
the IH implies w = C" hence w E- A”. The second case is more involved. We 
have A? € Ipn(y) by Lemma 3. Define u = f"(w) and let v > u. We will 
restrict ourselves to the case that v >, u; the argument can be extended to the 
general case using the monotonicity lemma. Let r,t € R and m < w be such 
that u = f™([r]), v = f"([t]) and t is a left premise of à C-application with 
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conclusion r. Since A? € I, we have A" € T, (by Lemma 3), which implies 
that A" € I. As before, we then have C™ € Iy or A" € Ty, where t € [t] is 
the conclusion of a C-application. This implies v = C? (by the IH) or A? € T, 
(by Lemma 3). In the second case, saturation implies that C? € I; or B? € Ay. 
Applying the IH, either v = C? or v j£ B®. Thus u E- A? and thereby w = A". 

We now consider (b). Suppose A” € Aw. If A € Prop, then A” ¢ I, since 
no sequent in R can be an axiom. By the same argument used to obtain (1), we 
have A?’ ¢ I'pn(wy and thus w j X" A. If A = B C, then A? € Afni). As the 
C-rule must be applied to some (namely the highest) sequent in the equivalence 
class f"(w), it must be the case that f"(w) has an intuitionistic successor v such 
that B? € I; and C? € A,. The IH then implies f"(w) [£ A? and thus w [£ A". 

Finally, if A = BUC, then A? € Afn(w) because UR-applications are pre- 
serving. Saturation and the IH implies f"(w) A C? and either f"(w) A B? or 
A! € Ap yy. Similarly, for every m > n, if A! € Agmiy) then f™t!(w) j C? 
and either f"'*!(w) A B? or A! € Apm+i(wy. So either there exists an m > n 
such that f™(w) A B? and f*(w) j C? for all n € k < m, or f™(w) j C? for 
all m > n. Either way, w 4 A". 


We conclude that the expanding model M falsifies ø. 


5.2 A Sequent Unprovable with Bounded Nesting 


We have shown that the calculus iLTL2** is complete with respect to the class 
of expanding models via a proof search argument. However, our argument does 
not yield regular completeness. Observe that in the construction of the proof 
search tree, there is no bound given on the nesting depth occurring in sequents. 
Indeed, in order to saturate U-formulas on the left, one has to keep unfolding 
them until the left premise is chosen, which, in case of a successful branch, 
might never happen. Hence, proofs might have arbitrary large nesting depth 
and there is thus no guarantee that infinite branches will contain repetitions. 
This observation raises the question of whether the completeness proof can be 
adapted to obtain a bound on the nesting depth occurring in iLTL2**-proofs. 
Unfortunately, this is not possible, as there are sequents that are not provable 
in iLTL25** with bounded nesting depth. An example for this is the sequent 


(AV B! > C 5 049,C 5 OBP, 


where QA := T U A and T := L — L. For brevity, instead of the U-rules we will 
use the following rules for Q. 
I,A"— A DXOA"—A i T => A”, XA”, A 
TOA SA 9 TAA 


OR 


It is easy to see that any formula in the -fragment of iLTL is provable in iLTL@*** 
if and only if it is provable in iLTL2*** with the -rules instead of the U-rules. 

Let us now consider the following proof 7 of the sequent (A V B)? > C = 
OA, C — 0B’. 
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Ti (AV B}? => C > OA°,C — OB? 


XL 

AVBISA XO(AV B)! C 5 049,C — 0B? OL 
To O(A V B)! = C > OA°,C — OB? up 
AVB9—A XO(AV B)® = C > OA°,C ^ OB? OL 

(AV B)? 43C— OA°,C 5 0B? 
The subproof 79 is given as follows. 
0 (»0 0 o id 0 (0 0 o id 
A“, C? = A”, XOA OR B9,C? => BY,XOB OR 
AU C? => QAP R B9,C9 > 0B? R 


A? > C —049,C 5 0B} B? => 0049,05 OB? 
AVB9—5C—2049,C > OB? 


VL 


The subproof 7 is similar, the only difference being that the formulas QA? and 
OB? have to be unfolded twice to reach an axiom instead of just once. In the 
same way, we obtain the subproofs 7; for each i < w. 

Note that 7 is indeed a proof, as it contains only one infinite branch and this 
branch contains a good trace, and that the nesting depth in 7 is unbounded. 
Furthermore, note that any proof of this sequent will have an infinite branch 
on the right with unbounded nesting levels. Working bottom-up, applying any 
other rule than OL to the root sequent results in an unprovable sequent, and 
applying any rule other than XL to its right premise results in an unprovable 
sequent as well. The same argument applies to each sequent in the right-most 
branch of 7. 

Interestingly, allowing analytic cuts there is a proof of this sequent with 
nesting depth bounded by 1, the cut formula being OA v B°. 


6  Persistency 


The system iLTL2** can be adapted to a sound and complete proof system for 
the logic iLTL, of validities over persistent models. 


Definition 12. The sequent calculus iLTLp** consists the rules of iLTL2*** except 
S and >R. which are replaced by 
T, A” => B” 
r= A> B", A 


XR 


Derivations, paths, (good) formula traces and proofs are defined for iLTLp** just 
as for iLTL2**, and it is easy to see that Lemma 2 still holds. To prove soundness, 
one can simply follow the proof of Theorem 1 and in the case for —R, invoke 
the validity of (XA — XB) — X(A — B) over the class of persistent models. 

To show completeness, we will adapt the proof search for iLTL** by intro- 
ducing different levels of saturation. 
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Definition 13. Letk < w. A sequent I' => A is k-saturated if it satisfies clauses 
1-8 of Definition 9 and the additional clause 


9. for all n € k, if AU B" € A, then B", A" € A or B",X(AU B)" € A. 


Given a sequent o, we say that a formula A is k-saturated in o if o satisfies the 
relevant k-saturation clause for A. 


Note that 0-saturation is equivalent to our earlier notion of saturation. 

To keep track of the level of saturation in sequents, the proof search tree 
will be labelled by indexed sequents l’ =p A, that is, sequents equipped with a 
natural number Kk « w. 


Definition 14. A persistent proof search tree T for a sequent I' => A is a finite 
or infinite tree whose nodes are labelled with indexed sequents following the rules 


of iLTLp** such that: 


The root of T is labelled by [ 29 A. 

A node of T is a leaf if and only if it is labelled by an axiom. 

Invertible rule applications leave the index of a sequent unchanged. 

Every left rule application is succinct. 

Every right rule application apart from —Rp is preserving. 

No invertible rule is applied to a sequent of index k in which the principal 
formula is already k-saturated. 

In place of the rule —Ry, the rule 


T, A >0 BO +++ D,Aj—oBj T =n41 (Ao > Bo)*,...,(Aj > Bj), A 
>, (Ao > Bo)*,...,(Aj Bj), A 


Dos Soto sS 


x 


Cp 


is utilised, where A may not contain a formula of the form A — BF and the 
conclusion of the rule is a k-saturated sequent. 


It is easy to see that every sequent has a persistent proof search tree and that 
Lemma 3, 4 and 5 also hold for persistent proof search trees. Following Definition 
11, we define a persistent refutation as a subtree of a persistent proof search tree 
satisfying properties 1-5 of Definition 11, with C replaced by C,. As before, the 
fifth property ensures that every branch in a persistent refutation passes through 
the C,-rule infinitely often. 

Via a game-theoretic argument, we obtain completeness of iLTLp** as a corol- 
lary of the following proposition. 


Proposition 2. If a sequent o has a persistent refutation, then it has a persis- 
tent countermodel. 


Due to space limit the proof is omitted. The main difference to the proof of 
Proposition 1 is that, when constructing a persistent countermodel from a per- 
sistent refutation, right premises of the C,-rule are not viewed as temporal suc- 
cessors but as a further description of the current world w. In the limit, this 
description fully determines the temporal ‘successors’ f" (a) for every n, whereby 
these successors can be added accordingly. Due to this limit construction, worlds 
in the obtained countermodel may have infinitely many intuitionistic successors, 
which is not the case for the countermodel obtained in Proposition 1. 
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7 Conclusion 


This investigation is part of a larger programme of devising sequent calculi for 
intuitionistic modal logic with fixed points to establish fundamental properties 
such as decidability and algorithmic proof search. To this aim, we introduce 
ill-founded cut-free sequent calculi for intuitionistic linear-time temporal logic 
over expanding and persistent models, denoted iLTL, and iLTL, respectively. 
'The presented systems and the techniques devised to establish soundness and 
completeness are inspired by the study of ill-founded proof systems for classical 
temporal logics. In particular, we have illustrated how the method of proof search 
can be adapted to the intuitionistic realm. 

A natural direction for future research is to extend iLTL, and iLTL, to logics 
containing greatest fixed point operators such as ‘henceforth’ and, more gener- 
ally, ‘release’. The latter is the classical dual of U which is not definable from 
U in the intuitionistic setting [3]. Although we believe that our approach can 
be extended to handle more expressive temporal logics, an adaptation of the 
proof search strategy is by no means trivial. The presence of greatest fixed point 
formulas on the left-hand side of a sequent presents a challenge in ensuring that 
the model constructed from a refutation satisfies monotonicity. 

Another possible direction is to devise complete cyclic calculi for iLTL-based 
logics. The main difficulty in turning an ill-founded proof into a cyclic one lies in 
our reliance on nested sequents. In the completeness proof, there is no guarantee 
that every infinite branch in a proof contains a repeated sequent. Indeed, as 
shown in Sect. 5.2, the sequent (AV B)? > C — 049, C — OB? admits a proof 
in iLTL2** only with an unbounded nesting depth. This implies that a simple 
definition of repetition in an infinite branch will not result in a complete cyclic 
system. Incorporating the cut-rule into the systems, one can obtain a proof of the 
sequent wherein the nesting depth is at most 1. Since the required application of 
cut in this example requires only analytic formulas, it is worthwhile investigating 
whether the presented systems can be turned into cyclic systems with analytic 
cuts. 
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Abstract. Automata operating on infinite objects feature prominently 
in the theory of the modal jz-calculus. One such application concerns the 
tableau games introduced by Niwiński & Walukiewicz, of which the win- 
ning condition for infinite plays can be naturally checked by a nondeter- 
ministic parity stream automaton. Inspired by work of Jungteerapanich 
and Stirling we show how determinization constructions of this automa- 
ton may be used to directly obtain proof systems for the p-calculus. More 
concretely, we introduce a binary tree construction for determinizing non- 
deterministic parity stream automata. Using this construction we define 
the annotated cyclic proof system BT, where formulas are annotated 
by tuples of binary strings. Soundness and Completeness of this system 
follow almost immediately from the correctness of the determinization 
method. 


Keywords: modal mu-calculus - derivation system - determinisation 
of Büchi and parity automata - non-wellfounded and cyclic proofs 


1 Introduction 


The Modal p.-calculus. The modal u-calculus is a natural extension of basic modal 
logic with explicit least and greatest fixpoint operators. Allowing the formula- 
tion of various recursive phenomena, this extension raises the expressive power 
of the language (at least when it comes to bisimulation-invariant properties of 
transition systems) to that of monadic second-order logic [12]. The j-calculus 
is generally regarded as a universal specification language, since it embeds most 
other logics that are used for this purpose, such as LTL, CTL, CTL* and PDL. 
Despite its expressive power the p-calculus has still reasonable computational 
properties; its model checking problem is in quasi-polynomial time [4] and its 
satisfiability problem is EXPTIME-complete [7]. Another interesting feature of 
the theory of the modal jcalculus lies in its connections with other fields, in 
particular the theory of finite automata operating on infinite objects, and that 
of infinite games. 
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Derivation Systems. Given the importance of the modal p-calculus, there is 
a natural interest in the development and study of derivation systems for its 
validities. And indeed, already in [15] Kozen proposed an axiomatization. Despite 
the naturality of this axiom system, he only established a partial completeness 
result, and it took a substantial amount of time before Walukiewicz [25] managed 
to prove soundness and completeness for the full language. 

Kozen's axiomatization amounts to a Hilbert-style derivation system, making 
it less attractive for proof search. If one is interested in a cut-free system, a good 
starting point is the two-player tableau-style game introduced by Niwiński & 
Walukiewicz [19]. Here we will present their system in the shape of a derivation 
system NW (this change of perspective can be justified by identifying winning 
strategies for one of the players in the game with NW-proofs). NW is a one- 
sided sequent system which allows for infinite proofs: although its proof rules are 
completely standard (and finitary), due to the unfolding rules for the fixpoint 
operators, derivations may have infinite branches. A crucial aspect of the NW- 
system is that one has to keep track of the traces of individual formulas along 
the infinite branches. A derivation will only count as a proper proof if each of 
its infinite branches is successful, in the sense that it carries a so-called v-trace: 
a trace which is dominated by a greatest fixpoint operator. 

This condition is easy to formulate but not so nice to work with. One could 
describe the subsequent developments in the proof theory for the modal u- 
calculus as a series of modifications of the system NW which aim to get a grip 
on the complexities and intricacies of the above-mentioned traces, and in par- 
ticular, to use the resulting “trace management” for the introduction of finitary, 
cyclic proof systems. Landmark results were obtained by Jungteerapanich [13] 
and Stirling [23], who introduced cyclic proof systems for the p-calculus, two 
calculi that we will identify here under the name JS. 


Automata and Derivation Systems. Applications of automata theory are ubiq- 
uitous in the theory of the modal j-calculus, and the area of proof theory is 
no exception. In particular, Niwiński & Walukiewicz [19] observed that infinite 
matches of their game, corresponding to infinite branches in an NW-derivation, 
can be seen as infinite words or streams over some finite alphabet. It follows that 
stream automata (automata operating on infinite words) can be used to deter- 
mine whether such a match/branch carries a v-trace. Niwiński & Walukiewicz 
used this perspective to link their results to the exponential-time complexity of 
the satisfiability problem for the p-calculus. 

A key contribution of Jungteerapanich and Stirling [13,23] was to bring 
automata inside the proof system. The basic idea would be to decorate each 
sequent in a derivation with a state of the stream automaton which recognizes 
whether an infinite branch is successful or not; starting from the root, the suc- 
cessive states decorating the sequents on a given branch simply correspond to 
a run of the automaton on this branch. For this idea to work one needs the 
stream automaton to be deterministic. 'To see this, observe that two successful 
but distinct branches in a derivation would generally require two distinct runs, 
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and in the case of a nondeterministic automaton, these two runs might already 
diverge before the two branches split. 

Interestingly, there is a natural stream automaton recognizing the success- 
ful branches of an NW-derivation: One may simply take the states of such an 
automaton to be the formulas in the (Fischer-Ladner) closure of the root sequent. 
But given the nondeterministic format of this automaton, before it can be used 
in a proof system, we need to transform it into an equivalent deterministic one. 
This explains the relevance of constructions for determinizing stream automata 
to the proof theory of the modal p-calculus. 


Determinization of Stream Automata. Using the ideas we just sketched, one may 
obtain sound and complete derivation systems for the modal y-calculus in an easy 
way. For any deterministic automaton A that recognizes the successful branches 
in NW-derivations, one could simply introduce new-style sequents consisting of 
an NW-sequent decorated with a state of À, and adapt the proof rules of NW 
incorporating the transition map of A. This could be done in such a way that the 
stream of decorations of an infinite branch corresponds to the run of À on the 
stream of sequents of the same branch. The trace condition of NW-derivations 
could then be replaced by the acceptance condition of A (which is generally 
much simpler, since it does not refer to traces). 

More interesting is to use specific determinization constructions, in order 
to design more attractive proof systems or to prove results about the deriva- 
tion system (and thus, potentially, about the p-calculus). In particular, some 
determinization constructions are based on a power construction, meaning that 
the states of the deterministic automaton consist of macrostates (subsets of the 
nondeterministic original) with some additional structure. Such constructions 
allow for proof calculi where this additional structure is incorporated into the 
sequents. For instance, the derivation system JS is based on the well-known Safra 
construction [20], in which the states of the deterministic automaton consist of 
macrostates of the original automaton that are organised by means of so-called 
Safra trees. Concretely, the (augmented) sequents in JS consist of a set of anno- 
tated formulas, with the annotations indicating the position of the formula in 
the Safra tree and a so-called control which provides additional information on 
the Safra tree. 


Our Contribution. Our overall goal is to explicitize the role of automata theory 
in the design of derivation systems for the modal u-calculus (and other fixpoint 
logics). Our point is that distinct determinization constructions lead to distinct 
sequent system, and that we may look for alternatives to the Safra construction. 
Concretely the contribution of this paper is threefold: 


1. We provide a new determinization construction for both Büchi and parity 
stream automata which is based on binary trees. Our construction is similar 
to constructions related to so-called profile trees [8, 16]. 

2. We apply our construction to obtain a new derivation system BT for the 
modal p-calculus. While our system is similar in spirit to the system JS, a 
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key difference is that our sequents consist of annotated formulas, and nothing 
else. 

3. We establish the soundness and completeness of BT. A distinguishing feature 
of our approach is that (up to some optimizations) this result is a direct 
consequence of the soundness and completeness of NW and the adequacy of 
our determinization construction. 


Related Work. There is an extensive literature on applications of automata the- 
ory in the theory of the modal p-calculus, among others [6, 11,12, 26]. Jungteer- 
apanich and Stirling [13,23] were the first to obtain an annotated proof system 
inspired by the determinization of automata. The proof system Focus for the 
alternation-free ji-calculus designed by Marti & Venema [18] originates with a 
rather simple determinization construction for so-called weak automata. In [17], 
Leigh & Wehr also take a rather general approach towards the use of deter- 
minization constructions in the design of derivation systems, but they confine 
attention to the Safra construction. 


Overview of Paper. In the next section we provide the necessary background 
material on binary trees, on w-automata, on the modal p-calculus and the proof 
system NW; doing so we fix our notation. In Sect. 3 we introduce a new deter- 
minization method for nondeterministic Büchi and parity automata. We will 
use this construction to prove the soundness and completeness of the proof sys- 
tem BT, which we introduce in Sect. 4. All missing proofs can be found in the 
extended version of this paper [5]. 


2 Preliminaries 


Binary Trees. We let 2* denote the set of binary strings; we write < for the 
lexicographical order of 2*, and E for the (initial) substring relation given by 
s C t if sr = t for some r. Substitution for binary strings is defined in the 
following way: Let s,t,5,r € 2* be such that s = ts, then s[tNr] denotes the 
binary string rs. A binary tree is a finite set of binary strings T C 2* such that 
s0 € T => sc T and s0 € T & sl € T. Here we let leaves(T) = {s € T | s0 ¢ T} 
denote its set of leaves, and minL(T) its minimal leaf of T, i.e. the unique leaf 
of the form 0---0. A set of binary strings L is a set of leaves of a binary trees 
if for all s At € L we have s Z t and tree(L) = (s € 2* | 3te L:sCthisa 
binary tree. 


Stream Automata. A non-deterministic automaton over a finite alphabet X is a 
quadruple A = (A, A, ar, Acc), where A is a finite set, A: A x X — P(A) is the 
transition function of A, a; € A its initial state and Acc C A" its acceptance 
condition. An automaton is called deterministic if |A(a,y)| = 1 for all pairs 
(a,y) € A x X. A run of an automaton A on a stream w = yoy1y2... € X" isa 
stream agà102... € A^ such that ao = a; and a;41 € A(aj, yi) for all i € w. A 
stream w is accepted by A if there is a run of A on w, which is in Acc; we define 
L(A) to be the set of all accepting streams of A. 
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The acceptance condition can be given in different ways: A Büchi condition 
is given as a subset F C A. The corresponding acceptance condition is the set 
of runs, which contain infinitely many states in F. A parity condition is given as 
a map 2: A — w. The corresponding acceptance condition is the set of runs « 
such that min{2(a) | a occurs infinitely often in a} is even. A Rabin condition 
is given as a set R = ((G;, B;))ier of pairs of subsets of A. The corresponding 
acceptance condition is the set of runs « for which there exists 7 € I such 
that a contains infinitely many states in G; and finitely many in B;. Automata 
with these acceptance conditions are called Büchi, parity and Rabin automata, 
respectively. 


Modal p-calculus: Syntax. The set L, of formulas of the modal p-calculus is 
generated by the grammar 


e:-plpillTl!(evoe)|(e^oc)| 9v] Ge | ux.o | veg, 


where p and zx are taken from a fixed set Prop of propositional variables and in 
formulas of the form x.y and va. there are no occurrences of z in g. 

Formulas of the form ux. (vx.y) are called u-formulas (v-formulas, respec- 
tively); formulas of either kind are called fixpoint formulas. We write n, € {u,v} 
to denote an arbitrary fixpoint operator. We use standard terminology and nota- 
tion for the binding of variables by the fixpoint operators and for substitutions, 
and make sure only to apply substitution in situations where no variable capture 
will occur. An important use of the substitution operation concerns the unfolding 
x[£/x] of a fixpoint formula £ = nz.x. 

Given two formulas y, Y € L, we write y >c Y if v is either a direct boolean 
or modal subformula of o, or else ọ is a fixpoint formula and v is its unfolding. 
The closure Clos(®) C L, of B C L, is the least superset of that is closed 
under this relation. It is well known that Clos(®) is finite iff is finite. A trace 
is a sequence (Yn)n<x, with & € w, such that yn >c Yn4i, for all n F1 « x. 

We define a dependence order on the fixpoint formulas occurring in $, written 
Fix(®), by setting nx.p <ø Ay.w (where smaller in <ẹ means being of higher 
priority) if Clos(nx.p) = Clos(Ay.V) and mx. is a subformula of Ay.. One 
may define a parity function N : Fix(®) — w, which respects this order (i.e., 
f2(nxp) < NAy.w) if qx «o Ayy) and satisfies Q(nx.y~) is even iff ny = v. Let 
maxo($) = max(Q(vz.o) | vx. € Fix(®)}. 

It is well known that any infinite trace T = (,)4, features a unique formula 
y that occurs infinitely often on 7 and is a subformula of pp for cofinitely many 
n. This formula is always a fixpoint formula, and where it is of the form ng. 
we call 7 an 7-trace. 

Since the semantics of the modal -calculus only plays an indirect role in our 
paper, we refrain from giving the definition. 


Non-wellfounded Proofs. A sequent T is a finite set of u-calculus formulas, pos- 
sibly with additional structure such as annotations. Rules have the following 
form, possibly with additional side conditions: 
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D*: fa 
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A rule R, where n = 0, is called an axiom. The rules D* are called discharge 

rules. Each discharge rule is marked by a unique discharge token taken from a 

fixed infinite set D = {x,y,...}. 


Definition 1. A derivation system P is a set of rules. A P derivation 7 = 
(T, P, S, R,f) is a quintuple such that (T, P) is a, possibly infinite, tree with nodes 
T and parent relation P; S is a function that maps every node u € T to a non- 
empty sequent Xu; R is a function that maps every node u € T to its label R(u), 
which is either (i) the name of a rule in P or (ii) a discharge token; and f is a 
partial function that maps some nodes u € T to its principal formula f(u) € S(u). 
If a specific formula « in the conclusion of a rule is designated, then f(u) = y 
and otherwise f(u) is undefined. To qualify as a derivation, such a quintuple is 
required to satisfy the following conditions: 


1. If a node is labeled with the name of a rule then it has as many children as 
the rule has premises, and the annotated sequents at the node and its children 
match the specification of the rules. 

2. If a node is labeled with a discharge token then it is a leaf. For every leaf l 
that is labeled with a discharge token x € D there is exactly one node u € T 
that is labeled with D*. This node u and its child are proper ancestors of l. 
In this situation we call l a discharged leaf, and u its companion; we write c 
for the function that maps a discharged leaf l to its companion c(l) and write 
p(l) for the path in T from c(l) to l. 


A derivation 7’ = (T", P', S',R',f^) is a subderivation of m = (T,P,S,R,f) if 
(T", P^) is a subtree of (T, P) and S’,R’,f’ and S, R,f are equal on (T", P^). A 
derivation 7 is called regular if it has finitely many distinct subderivations. 


Definition 2. Let n = (T, P,S, R,f) be a derivation. We define two graphs we 
are interested in: (i) The usual proof tree Ta = (T, P) and (ii) the proof tree 
with back edges 7€ = (T, PC), where PC = PU{(I, c(1)) | l is a discharged leaf] 
is the parent relation plus back-edges for every discharged leaf. 

A strongly connected subgraph in TC is a set S of nodes, such that for every 
u,v € S there is a PC-path from u to v. 


The NW Proof System. The rules of the derivation system NW, which is directly 
based on the tableau games introduced by Niwiński & Walukiewicz [19], are 
given in Fig. 1. 

In order to decide whether an NW derivation qualifies as a proper proof, 
one has to keep track of the development of individual formulas along infinite 
branches of the proofs. 
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Fig. 1. Rules of NW 


Definition 3. Let I, I" be sequents, € be a formula such that T is the conclusion 
and I" is a premise of a rule in Fig. 1 with principal formula £. We define the 
active and passive trail relation Arg, r, Pre, r; € I x I". Both relations are 
defined via a case distinction on £: 

Case € = Oy: Then r = 0o, OA, A and I’ = o, A. We define Are r, = 
{(Og, y)} U {(Ox, x) | x € A} and Pre, r = 9. 

Case € = o V y: Then I' = QV y, A and I" = q,v, A. We define Are r = 
t(e V v.e). (e V v, v)] and Prer = {(x,x) | x € A}. 

The relations for the remaining rules are defined analogously. 

The trail relation T re, r C I' x I" is defined as Ape, r: UPr er. Finally, for 
nodes u,v in an NW proof 7, such that P(u,v), we define Tu,» = Tsu) f(u), Stw) 


— 


Note that for any two nodes u,v with P(u,v) and (y,w) € Tu», we have 
either (p, Y) € Au» and y >c v, or else (p, Y) € Puy and y = v. The idea is 
that A connects the active formulas in the premise and conclusion, whereas P 
connects the side formulas. 


Definition 4. Let n = (T, P,S,R,f) be an NW derivation. A branch of m is 
simply a (finite or infinite) branch of the underlying tree (T, P) of m. A trail 
on a branch a = (Un)n<n is a sequence T = (Pn)ncr of formulas such that 
(Yi, pi+1) € Tuvi; whenever i +1 < K. We obtain the tightening 7 of such 
à T by erasing all yi41 from T for which (Pi, pi+1) belongs to the passive trail 
relation Py, v,,,- We call T a v-trail if its tightening T is a v-trace (and so, in 
particular, it is infinite). 


Definition 5. An NW proof a is an NW derivation such that on every infinite 
branch of m there is a v-trail. We write NW F I if there is an NW proof of I, 
i.e., an NW proof, where I" is the sequent at the root of the proof. 


Soundness and Completeness of NW for guarded formulas, (ie., where in 
every subformula 1.1» all free occurrences of x in w are in the scope of a modal- 
ity) follows from the results by Niwiński & Walukiewicz [19]. As pointed out 
in [2], it follows from [24] and [10] that the result in fact holds for arbitrary 
formulas. By Theorem 6.3 in [19], NW-proofs can be assumed to be regular, and 
this observation applies to unguarded formulas as well. 


Theorem 1 (Soundness & Completeness). Let I be a sequent, then VT 
is valid iff NW FT iff I has a regular NW-proof. 
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3 Determinization of Automata with Binary Trees 


3.1  Büchi automata 


Let X be an alphabet and B = (B, A, bz, F} a nondeterministic Büchi automaton 
over X. We want to present an equivalent deterministic Rabin automaton. 

The run tree of B on a word w = (wi)icw is a pair R = (R,1), where R is 
the full infinite binary tree and l labels every node s with Bs C B, such that 
l(e) = {br} and for |s| = i: ((s1) = A(B,,w;) N F and l(s0) = A(B,,w;) n F, 
where we define A(B,, y) = Ue p, A(b, y). It describes all possible runs of B on 
w, using the 1s to keep track of visited states in F. 

The profile tree, introduced in [9], is a pruned version of the run tree, where 
1) at each level all but the (lexicographically) greatest occurrence of a state b 
are removed and 2) nodes labelled by the empty set are deleted. This results in a 
tree of bounded width, where every node has 0,1 or 2 children. It can be proved 
that B accepts a stream w iff the corresponding profile tree has a branch with 
infinitely many 1s. 

In [8] a determinization method was defined, where macrostates encode levels 
of the profile tree. In our approach macrostates encode a compressed version of 
the whole profile tree up to some level: Nodes u, v are identified (iteratively), 
if v is the unique child of u. This results in finite binary trees, where leaves are 
labelled by subsets of B. In every step of the transition function we add one 
level of the run tree and then prune and compress the tree to obtain a binary 
tree again. Whenever a 1 is compressed (in the sense of a node being identified 
with its right child) we know that a state in F has been visited and mark the 
node green. À run of the deterministic automaton is accepted if there is a node, 
which never gets removed and is marked green infinitely often. Figure 2 contains 
an example of this determinization construction. 

Formally we define the deterministic Rabin automaton BP = (B? ô, b}, R) 
as follows: An element S in the carrier BP of BP is called a macrostate and 
consists of 


— a subset Bg of B, 
—amap f : Bs — 2*, such that! ran(f) is a set of leaves of a binary tree and 
- a colouring map c: tree(ran(f)) — (green, red, white}. 


We define T? to be the binary tree tree(ran(f)), that has ran(f) as its leaves 
and say that a binary string s is in play if s € T^. If it is clear from the context 
we occasionally abbreviate TS by T. We will sometimes denote a macrostate by 
a set of pairs (b, s), usually written as b°, where b € Bs and s = f(b) and deal 
with the colouring c implicitly. 

The initial macrostate b, consists of the singleton {b$}, where c(c) = white. 
To define the transition function 6 let S be in BP and y € X. We define 5(5, y) = 
S', where starting from the empty set we build up S' in the following steps: 


1. Move: For every a? € S and b € A(a, y), add b? to S". 


1 Here ran(f) denotes the co-domain of f. 
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Fig. 2. A nondeterministic Büchi automaton B on the left and its determinization 
on the right. The diagram in the middle shows the internal structure of the macrostates 
mo, M1, ma and ma of BP. Binary trees are represented in the obvious way (i.e., the 
root is the string e, and for every node the left child appends 0 and the right child 
appends 1). The transitions of BP are split in two parts: In the first part one level 
of the run tree is added, corresponding to the steps 1 and 2 in the definition of the 
transition function. In the second part (the dashed arrows) the tree is pruned and 
compressed, corresponding to the steps 3 and 4. The acceptance condition of BP is 
such that the word a^ is accepted by BP because the string e is always in play, marked 
green infinitely often and never red. 


2. Append: For every a? € S', where a ¢ F, change a? to a?9. For every a? € S', 
where a € F, change a? to a?!. 

. Resolve: If a? and at are in S", where s < t, delete a’. 

4. Compress/Colour: Let c(t) = white for every t € T°’. Now we compress and 
colour 7' in the following way, until there exists no witness t € T', such that 
(a) or (b) is applicable:? 

(a) For any t € T, such that t0 € T and t1 ¢ T, change every a? € S', where 
t0 E s, to a? Vl, For any s € T, where t C. s, let c(s) = red. 

(b) For any t € T, such that t0 ¢ T and t1 € T, change every a? € S", where 
t1 E s, to a*l*1 V], For any s € T such that t = s0---0, let ce(s) = green, 
if c(s) Z red. In particular let c(t) — green if c(t) Z red. For any s € T, 
where t C s, let c(s) = red. 


ew 


We define BP as the set of macrostates that can be reached from bi in this way. 
A run of BP is accepting if there is a binary string s, which is in play cofinitely 
often such that c(s) is green infinitely often and red only finitely often. 


RD 


Theorem 2. B accepts a word w iff accepts w. 


Remark 1. For a Büchi automaton of n states, our construction yields a deter- 
ministic automaton BP with n9? states and a Rabin condition of O(2") pairs, 


? As shown in Proposition 1 of [5] this procedure does not depend on the order in 
which witnesses are chosen, and thus produces a unique binary tree. 
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see Lemma 5 of [5]. With some adaptations we could also match the optimal 
Rabin condition, which is known to be linear-size [20]. 

This can be achieved by adding an labelling function as follows: Let L = 
(1,...,2n — 1} be the set of potential labels. Macrostates are defined as before, 
where an additional injective function |: T^ — L is added. For the initial state 
we let l(e) = 1. The steps 1-4 in the transition function remain the same, where 
we add a final step 5 in which we define the new labeling function l’: We let 
l'(s) = l(s) for all s that already occurred in T? and for all s € T? \ T? we let 
c(s) — red and choose new, distinct labels in L, i.e. ones which do not occur in 
ran(l). The binary tree T’ has at most n leaves, hence it has at most 2n — 1 
many nodes and this is always possible. 

The new acceptance condition has the following form: A run of the automaton 
is accepting if there is a label k € L, such that c(l! (k)) is green infinitely often 
and red only finitely often. Here c(l! (k)) is defined to be red if k ¢ ran(l). This 
is a Rabin condition with O(n) pairs. Notably we still have n°) macrostates, 
thus the determination method is optimal. 


3.2 Parity Automata 


We now extend the approach to parity automata. Let X be an alphabet and 
A = (A, A4, az, 2) be a nondeterministic parity automaton. 

In order to present the intuitive idea behind the construction we first trans- 
form A into an equivalent nondeterministic Büchi automaton B. Let m be the 
maximal even priority of 2. For even k = 0,2,...m we define Ag, Ag,...,An as 
copies of A without the states of priority smaller than k, i.e. Aj = (Ak, Ak, Fr) 
with A; = {ax |a € AAQ(a) > k}, Ak = Aala, and Fp = {ap € Ax | Q(a) = k}. 


Now we define the nondeterministic Büchi automaton B = (B, Ap, by, F):? 
m m 
B=AU U Ax, br = ar, F= U Fx, 
k=0 k=0 
k even k even 


T 
Ap 2AAU |) AkU (ay, bs) € Ax Ex Ax | b € Aala, y), k =0,2,...,m}. 
Pos 

Although A, is not an automaton, as it does not have an initial state, we can 
define the Büchi automaton AU A; = (AU Ax, Ap|aua,, ar, Fx) for k = 0,...,m. 

The intuition behind the determinization of the parity automaton A is the 
following: We apply the binary tree construction to every automaton AU Ay, for 
k = 0,2,..., m, which is possible as there are no paths from A, to A; if k 4 j 
and none of the accepting states of B are in the set A. The annotation of a 
state a € A will then be the tuple (so, $2, ..., Sm), where s; is the annotation at 
the state ay € A U Ay. Note that the automaton A? will be different from the 
automaton obtained from the binary tree construction on the whole 


Si 


3 For easier notation we represent the transition function B x X — P(B) by its 
corresponding relation (i.e., subset of B x X x B). 
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To make that formal we need some definitions. A treetop L is a set of leaves 
of a binary tree, where potentially the minimal leaf is missing, i.e. L is a finite 
set of binary strings such that for all s Æ t € L it holds s Z t and tree(L) = (s € 
2*|3t€ L:sCt}U{s0 | s— 0---0 and s1 € L} is a binary tree. 

For even m let TSeq(m) = ((50,52,..., $m) | 50,52; ..., 5 € 2*} be the set 
of sequences of length 5 + 1, where so, ..., Sm are binary strings. Let 7; be the 
projection function, which maps o = (50,...,5m) to sy for k = 0,2,..., m. We 
define a partial order < on TSeq(m): Let (so, ..., $m) < (to, ..., tm) if there exists 
Le (0,..., m) such that s; < t; and s; = tj for j = 0, ...,l — 2. 

We now define the deterministic Rabin automaton AP = (A?,6,4,a), Ra). 
Let m be the maximal even priority of Q in A. An element S in the carrier A? 
of AP consists of a tuple (As, f, co, ..., €m), where 


— Ag is a subset of A, 

— f: Ag — TSeq(m), such that ran(r o f) is a treetop for k = 0, ...,m and 

— cy is à colouring map from tree(ran(zy o f)) — green, red, white) for k = 
0,2, ..., m. 


We define T? to be the binary tree tree(ran(7y o f)) for k = 0,2,..., m and say 
a binary string s is in play at position k if s € qu If the context is clear we 
will abbreviate T? with Tj. Again we sometimes denote a macrostate by a set 
of pairs (a, c), usually written as a^, where a € Ag and o = f(a) and deal with 
the colourings cz, implicitly. 

transition function ó4 let S be in AP and y € X. We define ó4(S, y) = S', where 
S’ is constructed in the following steps: 


1. (a) Move: For every a? € S and b € A4(a, y), add b7 to S’. 

(b) Reduce: For every a^ € S', change a? to a?', where o' is obtained from 
€ = (89, ..., Sm) by replacing every s; with j > f2(a) by minL(T;). 

2. Append: For every a? € S’ and o = (so, ..., Sm), change a? to a?', where o/ = 

(s00, ..., $520, Skl, $4420, ..., 8m0) if Q(a) = k is even, and o’ = (890, ..., Sm0) 

if Q(a) — k is odd. 

Resolve: If a? and a’ are in S’ and o < 7, delete a’. 

4. Compress/Colour: Do for every k = 0,2,..., m: Let c(t) = white for any 
t € Ty. Now we compress and colour 7; inductively in the following way, 
until there exists no witness t € Ty, such that (a) or (b) is applicable: 

(a) For any t € TX, such that t0 € Tk and tl ¢ Ti, change every 
a^ € S', where o = (S0,...,$m), and t0 E sp, to a^, where o' = 
(So, ..., Sk [£0], ..., Sm). For any s € Tk, where t C s, let cx (s) = red. 

(b) For any t € Tj, such that t0 ¢ Ti, tl € Tk and t z 0---0, change 
every a? € S', where o = (so, ...5,,), and t1 C sj, to a?', where o' = 
(30; ..., Sx [£1 M], ..., Sm). For any s € Ty such that t = s0---0, let cx(s) = 
green, if c,(s) # red. In particular let c(t) = green if c(t) Æ red. For 
any s € Ty, where t C. s, let c (s) = red. 


Uo 
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A run of A? is accepting if there is k € {0,2,...,m} and a binary string s, which 
is in play at position k cofinitely often such that c,(s) is green infinitely often 
and red only finitely often. 


Theorem 3. Let A be a parity automaton and AP the deterministic Rabin 
automaton defined from A. Then L(A) = L(AP). 


Remark 2. For a parity automaton A of size n with highest even priority 
m, our construction produces a deterministic Rabin automaton with n9") 
macrostates and O(m - 2”) Rabin pairs, see Lemma 6 of [5]. 


4 BT Proofs 


4.1 Proof Systems 


We present two non-wellfounded proof systems for the modal p-calculus, namely 
BT and BT??. The idea is that annotated sequents in the BT system correspond 
to macrostates of AP, where A is a nondeterministic parity automaton checking 
the trace condition in an NW proof. The rules of BT resemble the transition 
function of AP. 

Let ® be a set of formulas, the sequent we want to prove, and let m = 
maxy(®) be the maximal even priority of N. Annotated sequents are sets of 
pairs (q,c), usually written as q^, where y € Clos(®) and o € TSeq(m). For 
an annotated sequent I’ we let IN be the set of annotations occurring in I, i.e. 
IN = {o € TSeq(m) | Jy s.t. p? € r}. We let I7 be the set of binary strings 
occurring at the k-th position of the annotations in T, i.e., I" = s4[D"]. We 
say that a string s occurs in I" if there exists t € I7 such that s E t. 

For o = ($9,..,54,) € TSeq(m) we define o - 1, = (59, ..., Skl, ..., Sm) and 
o - Oy = (50, ..., $0, ..., Sm). For an annotated sequent I" we let I°* denote the 
annotated sequent {p7 | py? € I}. 

Let I" be an annotated sequent and q^ € I’. We define o | kf to be the tuple 
of binary strings obtained from ø = (59, ..., Sm) by replacing every s; with j > k 
by minL(tree( TA). If the context T is clear we write c | k instead of o | k”. 


The rules Compress,” and Compress)” are schemata for k = 0,2,...,m and 


s € 2*. In these rules the notation pore) is to be read such that st; is the 
binary string in the k-th position of the annotation. We will write Compress for 
any of those rules and write Compress; for either Compress,” or Compress}. 

Note that, if one ignores the annotations, the rules Ax1, Ax2, Ry, Ra, Ry, 
R, and Ro in Fig.3 are the same as the rules of NW. As mentioned above 
annotated sequents in the BT system correspond to macrostates of AP, where A 
is a nondeterministic parity automaton checking the trace condition in an NW 
proof. The rules of BT correspond to the transition function 54 of AP, where 
the transformations of 64 are distributed over multiple rules: Step 1(a) of 94 is 
carried out in every rule and step 1(b) and step 2 correspond to the modification 
of the annotations in the rules R, and R,. Notably, we do not add zeros to the 
annotations if the zeros would get deleted anyway in step 4 of the transition 
function. The rules Resolve and Compress are additional and correspond to steps 
3 and 4 of 4. 
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Fig. 3. Rules of BT 


Definition 6. A BT derivation 7 is a derivation defined from the rules in Fig. 3, 
such that the rules are applied with the following priority: first Resolve, then 
Compress, and then all other rules. 


Just as annotated sequents correspond to macrostates of the deterministic 
automaton AP, the soundness condition of BT® and BT correspond to the 
acceptance condition of AP: We say that a pair (k, s) is preserved at a node, if 
s is in play at position k at the corresponding macrostate and not marked red; 
and progresses if it is marked green. 


Definition 7. Let x be a BT derivation of P, m = maxo(d) and S be a set of 
nodes in t. Let k € (0,2,..., m) and s € 2*. We say that the pair (k, s) 


- is preserved on S if 
e s occurs in S(v)? for every v in S and 
e if R(v) = Compress’, for a node v in S, then t $ s, 
— progresses (infinitely often) om S if there is s' = s0---0 such that R(v) = 
Compress; ! for some v in S (for infinitely many v € S). 


Definition 8. Let * be a BT derivation. An infinite branch a = (ui)iew in m is 
successful if there are N and (k,s) such that (k,s) is preserved and progresses 
infinitely often on (u; | i 2 N). A BT? proof is a BT derivation without 
occurrences of D* and such that all infinite branches are successful. A BT proof 
is a finite BT derivation such that for each strongly connected subgraph S in 
TC there exists (k,s) that is preserved and progresses on S. 

We write BT + I' (BT? | D) if there is a BT (BT?) proof of I, i.e., a 
proof, where I' is the sequent at the root of the proof. 
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Remark 3. In the proof system JS introduced by Jungteerapanich and Stirling 
[13,23] annotated sequents are of the form 0 F q1*,..., «2^, where a1, ..., an are 
sequences of names and the so-called control @ is a linear order on all names 
occurring in the sequent. In contrast to JS our sequents consist of formulas with 
annotations and nothing else, that is, no control. On the other hand the sound- 
ness condition of BT is less local: It speaks about strongly connected subgraphs, 
whereas in JS only paths between leafs and its companions have to be checked. 
We see that the control in JS gives information on the structure of the cyclic 
proof tree. Interestingly, we could also add a control to our sequents and obtain a 
soundness condition that talks about paths, if desired. Similarly, in [1] a control 
was added to a cyclic system for the first-order pi-calculus introduced by [22] to 
obtain a path-based system. 


4.2 Soundness and Completeness 


The intuitive idea behind the BT™ proof system is the following: Starting with 
an NW proof, we can define a nondeterministic parity automaton A, that checks 
if an infinite branch carries a v-trail. Using the determinization method from 
Sect. 3 we simulate macrostates of A? by annotated formulas in the proof system. 
Thus an infinite branch in BT% resembles an infinite run of AP. This will be 
formalised in the Soundness and Completeness proofs. 


Tracking Automaton. Let ® be a sequent of formulas, mx4.4,..., nz. the 
fixpoint formulas in Fix(®) and £2 the parity function on Fix(4). 

We define a nondeterministic parity automaton that checks if there is a v- 
trail on an infinite branch of some NW proof of &. The alphabet X consists of 
all triples (T, £, I"), where I’ C Clos(®) is the conclusion and I” C Clos(®) is 
the premise of a rule in Fig. 1 with principal formula £. We define the following 
nondeterministic parity automaton A = (A, A, aj, (24): 


— A = aj U Clos(®) U (nz.* | mx € Clos(#)}, 

— For each y € A and (1,6, I") € X: 
1. if y = ar, then A(y, ee = @, 
2. if y =€ = nz.) then A(y, (7,6, 17)) = {nv.v"*}, 
aa ties AG UE S e eet eae 
4. else Ay (6 D) = (Y | (47) € Tre r}. 

— For all states nz.w* let (24(nz*) = Q(mnz). For all other states a let 

f24(a) = maxo(4) if maxo() is odd and f24(a) = maxo(4) + 1 else. 


Let a = (Un) new be an infi- 
nite branch in an NW- möni 7. We define w(a) € X" to be the infinite word 


(S(vo), f(vo); S(vo))(S(vo), f(vo), S(v1)) (S(1); f(v1), S(va)).... 


Lemma 1. Let a be an infinite branch in an NW proof. Then a carries a v-trail 


iff w(o) € L(A). 


Combining Lemma 1 and Theorem 3 from Sect. 3 we get 


256 M. Dekker et al. 


Lemma 2. Let * be an NW derivation. Then m is an NW proof iff for every 
infinite branch a in m it holds w(a) € L(A”). 


Lemma 3. Let I be a sequent. Then NWE I' if BTE I*. 


Proof (Sketch). Let 7 be an NW proof of a sequent I’. Inductively we translate 
every node v in 7 to a node v’ plus some additional nodes, such that v’ is labeled 
by the same sequent as v plus annotations. This can be achieved by replacing 
every rule in NW by its corresponding rule in BT and adding the rules Resolve 
and Compress whenever applicable. This yields a BT derivation p. It remains 
to show that every infinite branch a = (vj);e, in p is successful. Let â be the 
corresponding infinite branch in 7. Due to Lemma 2 it holds that @ € L(A”). 
Thus there is (k, s) such that s is in play at position k cofinitely often and c;(s) is 
green infinitely often and red only finitely often. As the annotations in a resemble 
the annotations in the run of AP on á it follows that there is some N € w such 
that (k, s) is preserved and progresses infinitely often on (v; | i 2 N}. 

Conversely let p be a BT proof of 1'*. We let m be the NW derivation defined 
from p by omitting the rules Resolve and Compress and reducing the other rules 
to the corresponding NW rules. We have to show that every infinite branch 
a in m is successful. Let o^ = (v;)ie, be the corresponding infinite branch in 
p. Because p is a BT proof there is N,(k,s) such that (k,s) is preserved and 
progresses infinitely often on (vi | i > N}. Again the annotations in a’ resemble 
the annotations in the run of A? on a, thus (k, s) witnesses the acceptance of 
the run of £(A?) on a and Lemma 2 concludes the proof. 


Theorem 4 (Soundness and Completeness). Let I' be a sequent. Then 
there is a BT? -proof of TS iff VT is valid. 


Proof. This follows from Lemma 3 and Theorem 1. 


4.3 Cyclic BT Proofs 


As NW proofs can be assumed to be regular and annotations are added deter- 
ministically we can also assume BT™ proofs to be regular. A standard argument 
then transforms regular BT” proofs into BT proofs and vice versa. 


Lemma 4. An annotated sequent is provable in BT iff it is provable in BT™. 


Theorem 5 (Soundness and Completeness). Let I be a sequent. Then 
there is a BT-proof of I'* iff VT is valid.. 


Remark 4. The number of distinct subtrees in a regular BT” proof can be 
bounded by the number of distinct annotated sequents. This follows because 
the same statement holds for NW proofs [19] and because in the proof of Lemma 
3 annotations and extra rules are added deterministically to sequents in NW 
proofs. 

Let ® be a sequent, n = |Clos(®)| and m = maxo(4). There are at most 
nOn) many distinct annotated sequents occurring in a proof of 6, because 
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annotated sequents resemble macrostates in A? and as seen in Remark 2 there 
are at most nO """) distinct macrostates in AP. 

Combining these two observations with the proof of Lemma 4 yields that the 
height of a BT proof of a sequent ® can be bound by nO”. This is the same 
complexity as in JS [13]. 


Remark 5. Given a BT derivation 7, we can check if m is a BT proof in coNP. 
We can give the following algorithm in NP, that checks if 7 is not a BT proof: 
Choose non-deterministically a strongly connected subgraph S and check if there 
exists (k,s) that is preserved and progresses on S, the latter can be done in 
polynomial time. The complexity of proof checking can be compared to linear 
time in JS and PSPACE in NW. Note that, if we add a control to the BT proof 
system, the soundness condition boils down to checking paths between leafs and 
its companions. In that case proof checking could also be done in linear time. 


5 Conclusions and Future Work 


We hope that this paper contributes to the theory of non-wellfounded and cyclic 
proof systems by discussing applications of automata theory in the field. We 
have argued for the relevance of the notion of determinizing stream automata 
in the design of proof systems for the modal p-calculus. More concretely, we 
have introduced a determinization construction based on binary trees and used 
this to obtain a new derivation system BT which is cyclic, cutfree, and sound 
and complete for the collection of valid £,-formulas. In the remainder of this 
concluding section we point out some directions for future research. 

First of all, our approach is not restricted to the modal p-calculus, but will 
apply to non-wellfounded and cyclic derivation systems for many other logics 
as well. For instance, in the proof systems LKID" [3] for first-order logic with 
inductive definitions, cyclic arithmetic CA [21] and similar systems the trace con- 
dition is of the form that on every infinite branch there is a term/variable which 
progresses infinitely often. This condition can be checked by a nondeterministic 
Büchi automaton and thus our method would yield an annotated proof system, 
where the annotations are binary strings, which label the terms/variables. 

Second, in Remark 3 we discussed some relative advantages and disadvan- 
tages of the systems JS and BT. It would be interesting to either design a system 
that combines the advantages of both systems (i.e. sequents consisting of anno- 
tated formulas only as in BT, and a local condition for proof checking as in JS), 
or prove that such a system cannot exist. 

Finally, it would be interesting (and in fact, it was one of the original aims 
of our work), to connect annotation-based sequent calculi such as JS and BT 
to Kozen’s Hilbert-style proof system and to see whether a more structured 
automata-theoretic approach would yield an alternative proof of Walukiewicz’ 
completeness result. Note that this was also the goal of Afshari & Leigh [2]; 
unfortunately, it was recently shown by the second author [14] that the system 
Clo, a key system in Afshari & Leigh’s approach linking JS to Kozen’s axioma- 
tization, is in fact incomplete. 
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Abstract. We introduce a Gentzen-style framework, called layered 
sequent calculi, for modal logic K5 and its extensions KD5, K45, KD45, 
KB5, and S5 with the goal to investigate the uniform Lyndon interpo- 
lation property (ULIP), which implies both the uniform interpolation 
property and the Lyndon interpolation property. We obtain complexity- 
optimal decision procedures for all logics and present a constructive proof 
of the ULIP for K5, which to the best of our knowledge, is the first such 
syntactic proof. To prove that the interpolant is correct, we use model- 
theoretic methods, especially bisimulation modulo literals. 


1 Introduction 


The uniform interpolation property (UIP) is an important property of a logic. 
It strengthens the Craig interpolation property (CIP) by making interpolants 
depend on only one formula of an implication, either the premise or conclusion. 
A lot of work has gone into proving the UIP, and it is shown to be useful in 
various areas of computer science, including knowledge representation [17] and 
description logics [25]. Early results on the UIP in modal logic include positive 
results proved semantically for logics GL and K (independently in [9,32,35]) 
and negative results for logics S4 [10] and K4 [5]. A proof-theoretic method to 
prove the UIP was first proposed in [30] for intuitionistic propositional logic and 
later adapted to modal logics, such as K and T in [5]. A general proof-theoretic 
method of proving the UIP for many classical and intuitionistic (non-)normal 
modal logics and substructural (modal) logics based on the form of their sequent- 
calculi rules was developed in the series of papers [2,3,16]. 
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Apart from the UIP, we are also interested in the uniform Lyndon inter- 
polation property (ULIP) that is a strengthening of the UIP in the sense that 
interpolants must respect the polarities of the propositional variables involved. 
Kurahashi [18] first introduced this property and proved it for several normal 
modal logics, by employing a semantic method using layered bisimulations. A 
sequent-based proof-theoretic method was used in [1] to show the ULIP for sev- 
eral non-normal modal logics and conditional logics. 

Our long-term goal is to provide a general proof-theoretic method to (re)prove 
the UIP for modal logics via multisequent calculi (i.e., nested sequents, hyperse- 
quents, labelled hypersequents, etc.). Unlike many other ways of proving inter- 
polation, the proof-theoretic treatment is constructive in that it additionally 
yields an algorithm for constructing uniform interpolants. Towards this goal, we 
build on the modular treatment of multicomponent calculi to prove the CIP for 
modal and intermediate logics in [8,19,21,23,24]. First steps have been made 
by reproving the UIP for modal logics K, D, and T via nested sequents [12] and 
for S5 via hypersequents [11,13], the first time this is proved proof-theoretically 
for S5. 

In this paper, we focus on logics K5, KD5, K45, KD45, KB5, and S5. The ULIP 
for these logics was derived in [18, Prop. 3] from the logics’ local tabularity [28] 
and Lyndon interpolation property (LIP) [20]. 

Towards a modular proof-theoretic treatment, we introduce a new form of 
multisequent calculi for these logics that we call layered sequent calculi, the 
structure of which is inspired by the structure of the Kripke frames for the 
concerned logics from [27]. For S5, this results in standard hypersequents [4, 26, 
31]. For K5 and KD5, the presented calculi are similar to grafted hypersequent 
calculi in [22] but without explicit weakening. Other, less related, proof systems 
include analytic cut-free sequent systems for K5 and KD5 [34], cut-free sequent 
calculi for K45 and KD45 [33], and nested sequent calculi for modal logics [7]. 

The layered sequent calculi introduced in this paper adopt a strong version 
of termination that only relies on a local loop-check based on saturation. For 
all concerned logics, this yields a decision procedure that runs in co-NP time, 
which is, therefore, optimal [15]. We provide a semantic completeness proof via 
a countermodel construction from failed proof search. 

Finally, layered sequents are used to provide the first proof-theoretic proof of 
the ULIP for K5. The method is adapted from [11,13] in which the UIP is proved 
for S5 based on hypersequents. We provide an algorithm to construct uniform 
Lyndon interpolants purely by syntactic means using the termination strategy of 
the proof search. To show the correctness of the constructed interpolants, we use 
model-theoretic techniques inspired by bisimulation quantification in the setting 
of uniform Lyndon interpolation [18]. 

An extended version of the paper with more detailed proofs is found in [14]. 


2 Preliminaries 


The language of modal logics consists of a set Pr of countably many (proposi- 
tional) atoms p,q,..., their negations p, 7, ..., propositional connectives ^ and V, 
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Table 1. Modal axioms and their corresponding frame conditions. 


Axiom | Formula Frame condition 

k (p > v) > (Die ^ Oy) | none 

5 oy > Lov Euclidean: w Rv ^ wRu > vRu 
4 p [ transitive: wu Rv ^ v Ru > wRu 
d prop serial: Vw3v(wRv) 

b QUO symmetric: wRv > v Rw 

t prey reflexive: Vw(wRw) 


boolean constants T and L, and modal operators O and Q. A literal £ is either 
an atom or its negation, and the set of all literals is denoted by Lit. We define 
modal formulas in the usual way and denote them by lowercase Greek letters 
y,w,.... We define Y using the usual De Morgan laws to push the negation 
inwards (in particular, p :— p) and y — wv :— Y V v. We use uppercase Greek 
letters T, A,... to refer to finite multisets of formulas. We write T, A to mean 
T U A and I, to mean T U (qj. The set of literals of a formula y, denoted 
Lit(y), is defined recursively: Lit(T) = Lit(L) = ©, Lit(@) = £ for £ € Lit, 
Lit(p ^ V) = Lit(y V v) = Lit(w) U Lit(v), and Lit(Oy) = Lit(Oy) = Lit(y). 

We consider extensions of K5 with any combination of axioms 4, d, b, and t 
(Table 1). Several of the 16 combinations coincide, resulting in 6 logics: K5, 
KD5, K45, KD45, KB5, and S5 (Table2). Throughout the paper, we assume 
L € (K5, KD5, K45, KD45, KB5, S5) and write F4 v iff o € L. 


Definition 1 (Logic K5). Modal logic K5 is aziomatized by the classical tau- 
tologies, axioms k and 5, and rules modus ponens (from p and p — w infer w) 
and necessitation (from p infer Oy). 


'Throughout the paper we employ the semantics of Kripke frames and models. 


Definition 2 (Kripke semantics). A Kripke frame is a pair (W, R) where 
W is a nonempty set of worlds and R C W x W a binary relation. A Kripke 
model is a triple (W, R, V) where (W, R) is a Kripke frame and V : Pr > P(W) 
is a valuation function. A formula y is defined to be true at a world w in a 
model M = (W, R, V), denoted M, w F x, as follows: M,wE T, M,wF L and 


M,wFEp iff weV(p) 

M,wEp iff we V(p) 

MwFEpAw iff M,wr: and. M,wFwV 

M,wFovy iff M,wEp orM,wFwy 

M, w = Oy iff for all v € W such that wRv, M, v E € 
M5,wFOp iff there exists v € W such that wRv and M,v E ọ. 


Formula is valid in M = (W, R, V), denoted M F «c, iff for all w € W, 
M,wF v. We call Ø 4 C C W a cluster (in M) iff C x C C R, ie., the 
relation R is total on C. We write wRC iff wRv for all v € C. 
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Table 2. Semantics for extensions of K5 (see [27,29]). Everywhere not pRp for the 
root p, set C is a finite cluster, and LI denotes disjoint union. 


Logic L | Axiomatization | Class of L-frames (W, R) 

K5 Definition 1 W = {p} or W = {p} UC 

KD5 K5+d W={p}UC 

K45 K5+4 W = {p} or (W = {p} UC and pRC) 
KD45 |K5+d+4 W = {p} LC and pRC 

KB5 K5+b W ={p} or W=C 

S5 K5+t W=C 


We work with specific classes of Kripke models sound and complete w.r.t. 
the logics. The respective frame conditions for the logic L, called L-frames, are 
defined in Table2. A model (W, R, V) is an L-model iff (W, R) is an L-frame. 
'Table2 is a refinement of Theorem 3, particularly shown for K45, KD45, and KB5 
n [29]. More precisely, we consider rooted frames and completeness w.r.t. the 
root, i.e., FL y iff for all L-models M with root p, M,p F p (we often denote 
the if-condition as FL v). For each logic, this follows from easy bisimulation 
arguments. 


Theorem 3 ([27]). Any normal modal logic containing K5 is sound and com- 
plete w.r.t. a class of finite Euclidean Kripke frames (W, R) of one of the follow- 
ing forms: (a) W = {p} consists of a singleton root and R = 2, (b) the whole W 
is a cluster (any world can be considered its root), or (c) W\{p} is a cluster for 
a (unique) root p € W such that pRw for some w € W\{p} while not pRp. 


Definition 4 (UIP and ULIP). A logic L has the uniform interpolation 


property (UIP) iff for any formula p and p € Pr there is a formula Vpp such 
that 


(1) Lit(Vpy) € Lit(y) \ {P,P}, 
(2) FL Ypy > v, and 
(3) FL v — ọ implies HL Y — Vp for any formula © with p,p d Lit(v). 


A logic L has the uniform Lyndon interpolation property (ULIP) /1, 18] iff 
for any formula «p and £ € Lit, there is a formula NV such that 
(i) Lit(V&) € Lit(y) \ (4, 
(à) FL Vey > y, and 
(ttt) FL Y —> y implies FL v — Vey for any formula w with £ d Lit(W). 


We call Vpp (Vey) the uniform (Lyndon) interpolant of p w.r.t. atom p (lit- 
eral £). 


These are often called pre-interpolants as opposed to their dual post-interpolants 
that, in classical logic, can be defined as Jpp = Vp and Alp = VEG (see, e.g., 
[1,5,11,18] for more explanations). 
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Theorem 5. If a logic L has the ULIP, then it also has the UIP. 


Proof. We define a uniform interpolant of p w.r.t. atom p as a uniform Lyndon 
interpolant VpVpyp of Vpy w.r.t. literal p. We need to demonstrate conditions 
LIP(1)-(3) from Definition 4. First, it follows from ULIP(i) that Lit(VpVpy) C 
Lit(Vpy) \ {p} € Lit(y) \ (p. p). Second, FL VpVpy — Ypy and F, Ype — » by 
ULIP(ii), hence, FL VpVpo — qv. Finally, if FL  — y where p, p ¢ Lit(v), then 
by ULIP (iii), FL Y — Vpo as p ¢ Lit(v) and FL v — VpVpe as p € Lit(v). 


3 Layered Sequents 


Definition 6 (Layered sequents). A layered sequent is a generalized one- 
sided sequent of the form 


G = Dy... In, DA]... [Xm] llli]... [M] (1) 


where Ti, Xi, Il; are finite multisets of formulas, n,m, k > 0, and if k > 1, then 
m 2 1. A layered sequent is am L-sequent iff it satisfies the conditions in the 
rightmost column of Table3. Each X;, each Il;, and |J; T; is called a sequent 
component of G. The formula interpretation of a layered sequent G above is: 


(6) - V. (Mr) v VZ a(V z) v V. ,en( Vm. 


Layered sequents are denoted by G and H. The structure of a layered sequent 
can be viewed as at most two layers of hypersequents (| |-components X; and 
[| ]]|-components II; forming the first and second layer respectively) possibly 
nested on top of the sequent component | J; I; as the root. Following the arboreal 
terminology from [22], the root is called the trunk while [| ]- and [[ ]|-components 
form the crown. Analogously to nested sequents representing tree-like Kripke 
models, the structure of L-sequents is in line with the structure of L-models 
introduced in Sect. 2. We view sequents components as freely permutable, e.g., 
[[L ]]; P3, [24]; 72 and 73,15, [34], [[H.]] represent the same layered sequent. 


Table 3. Layered sequent calculi L.L: in addition to explicitly stated rules, all L.L 
have axioms idp and idy and rules V, ^, Oc, and t (see Fig. 1). Note that the rules of 
system L.L may only be applied to L-sequents. 


Calculus | Sequent rules Conditions on layered sequents 

L.K5 t Oi c! n>1,m,k>0 

L.KD5 t Ot a | de dv |n>1, mk>0 

L.K45 t Qi | Oe n>1,m>0,k=0 

L.KD45 t Qie di | de n>1,m>0,k=0 

L.KB5 U e n=0,m>2,k=0 or n=1,m=0,k=0 
L.S5 P n=0,m>1,k=0 
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Remark 7. The layered calculi presented here generalize grafted hypersequents 
of [22] and, hence, similarly combine features of hypersequents and nested 
sequents. In particular, layered sequents are generally neither pure hypersequents 
(except for the case of S5) nor bounded-depth nested sequents. The latter is due 
to the fact that the defining property of nested sequents is the tree structure 
of the sequent components, whereas the crown components of a layered sequent 
form a cluster. Although formally grafted hypersequents are defined with one 
layer only, this syntactic choice is more of a syntactic sugar than a real dis- 
tinction. Indeed, the close relationship of one-layer grafted hypersequents for 
K5 and KD5 in [22] to the two-layer layered sequents presented here clearly 
manifests itself when translating grafted hypersequents into the prefixed-tableau 
format (see grafted tableau system for K5 [22, Sect.6]). There prefixes for the 
crown are separated into two types, limbs and twigs, which match the separation 
into [ ]- and [| ]]-components. 


For a layered sequent (1), we assign labels to the components as follows: 
the trunk is labeled e, | |-components get distinct labels e1, e2,..., and [[ ]]- 
components get distinct labels 1,2,.... We let o,7,... range over these labels. 
The set of labels is denoted Lab(G) and c € G means o € Lab(G). We write 
c :«9€8O (oro: vif no confusion occurs) when a formula q occurs in a sequent 
component of G labeled by ø. 


Example 8. G = vy, w, [x], [£], [[@]] is a layered sequent with the trunk and three 
crown components: two | ]-components and one [| ]|-component. Since it has 
both the trunk and a [| ]]-component, it can only be a K5- or KD5-sequent. A cor- 
responding labeled sequent is G = Ye, We, [X]e1, [E]e2; [[0])1, with the set Lab(G) = 
{e,e1,e2,1} of four labels. Similarly, for the KB5/S5-sequent H = [ø], [ô], a cor- 
responding labeled sequent is H = [o]e1, [ó].2 with Lab(H) = {el, 2}. 


: Gip nbp} Gipang, yp} 


"Sims ^ g(T) Gle ^v] 
, gie V v e) G, Oy, [p] a v]; [v] R G, Ov, [V, v] 
G(e V v) ' G, Dp ' D, oe "G, 09, [5] 
G, [ZO]. [v] G, [2 Oe], [e] G, [Z. Ov]. UZ, e) 


e c! 


G, [Z, Oy) 


G, [2D] ^ go dm 


, LOP [ol , Plz, 9d. [el F G, (©, 6v]. [Io] S] oe ol 
— 6,09 ^ 6,[2,0v] ^. G, [2,0] gG, [X, 6v] 


Fig. 1. Layered sequent rules: brackets | ] and (| ) range over both [ ] and [[ ]]. 
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We sometimes use unary contexts, i.e., layered sequents with exactly one hole, 
denoted { }. Such contexts are denoted by G{ }. The insertion G(I') of a finite 
multiset I into G{ } is obtained by replacing { } with I’. The hole ( } ina 
component c can also be labeled G{ },. We use the notations | ] and ( | to 
refer to either of | ] or [[ |]. 

Using Fig.1 and the middle column of Table3, we define layered sequent 
calculi L.K5, L.KD5, L.K45, L.KD45, L.KB5, and L.S5, where L.L is the calculus 
for the logic L. Following the terminology from [22], we split all modal rules into 
trunk rules (subscript t) and crown rules (subscript c) depending on the position 
of the principal formula. We write FL. G iff G is derivable in L.L. 


Definition 9 (Saturation). Labeled formula o : p € G is saturated for L.L iff 


- q equals p or p for an atom p, or equals L, or equals T; 
- Y = Y1 ^q. and o : qi E G for some i; 
- Y = Yı V y2 and both a : pı € G anda : p2 E€ G; 


- q = DI, the unique rule applicable to o : Oy" in L.L is either O; or Oe (i.e., 
a rule creating a | ]-component), and ei : yp! € G for some i; 

- p = Oy’, the unique rule applicable to o : Oy! in L.L is Oe (te, a rule 
creating a || ||-component), andi: v! € G for some i. 


In addition, we define for any label o and formula q: 


: Oy is saturated w.r.t. e € Lab(G); 

: Oy is saturated w.r.t. a label ei € Lab(G) iff ei: € 6; 

: Oy is saturated w.r.t. a label i € Lab(G) iff c =e ori: Eg; 
: Oy is di-saturated iff o e or ei: o EG for some i; 

: Op is d.-saturated iff o =e or ei: € G for some i; 

: Oy is d'-saturated iffe =e ori: € G for some i. 


999833538398 


G is propositionally saturated iff all V- and ^-formulas are saturated in G. L- 
sequent G is L-saturated iff a) each non-QO formula is saturated, b) each o : Oy 
is saturated w.r.t. every label in Lab(G), c) each o : Op is d-saturated whenever 
d E€ L.Ln {dt,de,de}, and d) G is not of the from H{T} or H(q,q) for some 
q € Pr. 


Theorem 10. Proof search in L.L modulo saturation terminates and provides 
an optimal-complexity decision algorithm, i.e., runs in co-NP time. 


Proof. Given a proof search of layered sequent C, for each layered sequent H in 
this proof search, consider its labeled formulas as a set Fy = (o:9|o:« E H}. 
Let s be the number of subformulas occurring in G and N be the number of 
sequent components in G. Since we only apply rules (that do not equal idp or id?) 
to non-saturated sequents, sets Fy will grow for each premise. Going bottom-up 
in the proof search, at most s labels of the form ez and at most s labels of the 
form i can be created, and each label can have at most s formulas. Therefore, the 
cardinality of sets Fy are bounded by s(N 4- s-- s), which is polynomial in the size 
of Fg. Hence, the proof search terminates modulo saturation. Moreover, since 
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each added labeled formula is linear in the size Fg and the non-deterministic 
branching in the proof search is bounded by (N + s+ s)s(N + s + s), again a 
polynomial in the size of Fg, this algorithm is co-NP, i.e., provides an optimal 
decision procedure for the logic. 


Definition 11 (Interpretations). An interpretation of an L-sequent G into 
an L-model M = (W, R, V) is a function : Lab(G) — W such that the following 
conditions apply whenever the respective type of labels exists in G: 

1. T(e) = p, where p is the root of M; 

2. T(e)R I(ei) for each label of the form ei € Lab(G); 

3. I(ei) R Z(j) and Z(j3) R Z(ei) for all labels of the form ei and j in Lab(G); 
4. Not Z(e) RZ(3) for any label of the form j € Lab(G). 


Note that none of the conditions (1)-(4) apply to layered S5-sequents. 


Definition 12 (Sequent semantics). For any given interpretation T of an 
L-sequent G into an L-model M, 


M,TEG iff M,T(o)E e for somed: e EG. 


G is valid in L, denoted FL G, iff M,T EG for all L-models M and interpreta- 
tions T of G into M. We omit L and M when clear from the context. 


'The proof of the following theorem is based on a countermodel construction 
(for more standard parts of the proof we refer to the Appendix of [14]): 


Theorem 13 (Soundness and completeness). For any L-sequent C, 


FLLG — FL u(G) — EL G. 


Proof. We show a cycle of implications. The left-to-middle implication, i.e., that 
FL. G => Fi (G), can be proved by induction on the L.L-derivation of G. 

For the middle-to-right implication, i.e., FL (G) => EL G, let G be a sequent 
of form (1). We prove that M,Z F G implies M,Z (e) F (G) (if n = 0, use 1 
in place of e). By definition, Z(e) is the root of M. If M,T FG, then Z(e) EF q 
for all y € UJ; i, for each 1 € i € m we have Z(ei) ¥ v for all y € Xi, 
and for each 1 € i < k we have Z(i) É x for all x € IL;. By Definition 11, in 
case k > 1 label el is in G and Z(e) RZ(e1) RZ(i) for each 1 < i < k. Therefore 
Mt, Z(e) E (G). 

Finally, we prove the right-to-left implication by contraposition using a coun- 
termodel construction: from a failed proof search of G, construct an L-model 
refuting G from (1). In a failed proof-search tree (Theorem 10), since F4 | G, at 
least one saturated leaf 


g pes Xml LEES, s IET To DOES s esa wll, 
is such that | J 7; C I", X; C Xj, and II; C II; (or for KB5, if G = I, then 
G' =I" for I C I" or [X], [Z4], ..., [Lm] with I € E). Define M = (W, R, V): 
W = Lab(G'), V(») = (e| o: PEG}, 


R= ((e, ei) | ei € Lab(G')) U {(0,7) | e, 7 € Lab(G),c,T Z e]. 


Since G’ is saturated, M is an L-model. Taking Z of G into M as the identity 
function (or Z(e) = 1 in case of KB5), we have M,Z ¥ G as desired. 
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4 Uniform Lyndon Interpolation 


Definition 14 (Multiformulas). The grammar 
0 :—-o0:9€|(060)|(090) 


defines multiformulas, where o : p is a labeled formula. Lab(O) denotes the set 
of labels of U. An interpretation Z of a layered sequent G into a model M is 
called an interpretation of a multiformula U into M iff Lab(O) C Lab(G). If Z is 
an interpretation of U into M, we define M,T F U as follows: 

MIFEo:g iff M,I(o)F v, 

M;,Z = O1 © U2 iff M,T E O4 and M;,Z = Oo, 

M,Z EU, @ U2 iff M,TF U; for at least one i = 1,2. 

Multiformulas O1 and U2 are said to be equivalent, denoted U1 =. Os, or simply 
O4 = Os, iff M,Z E Ui & M,Z FE Uz for any interpretation T of both O4 and U2 
into an L-model M. 


Lemma 15 ([21]). Any multiformula U can be transformed into an equivalent 
one in SDNF (SCNF) as a Q-disjunction ((-conjunction) of ©-conjunctions 
(Q-disjunctions) of labeled formulas o : p such that each label of U occurs exactly 
once per conjunct (disjunct). 


Definition 16 (Bisimilarity) . Let M = (W, R,V) and M' = (W', R', V?) 
be models and £ € Lit. We say .M' is (-bisimilar to M, denoted M' «x, M 
iff there is a nonempty binary relation Z C W x W', called an f-bisimulation 
between M and M’, such that the following hold for every w € W and w' € W': 


literals,. if wZw', then a) M,w E q iff M’,w' E q for all atoms q ¢ (6,0) and 
b) if M, w' E £L, then M,w F £; 

forth. if wZw' and wRv, then there exists v' € W' such that vZv' and w' R'v'; 

back. if wZw' and w'R'v', then there exists v € W such that vZv' and wRv. 


M and M’ are bisimilar, denoted M ~ M’, iff there is a relation Z 8 
satisfying forth and back, as well as part a) of literals; for any p € Pr, in 
which case Z is called a bisimulation. We write (similarly for ~ instead of <a): 


— (M’',w’) €, (M, w) iff there is an £-bisimulation Z, such that wZw'; 
- (M',Z^) <e (M,Z) for functions T : X > W and T' : X — W' iff there is an 
f-bisimulation Z such that Z(c) Z T'(c) for each o € X. 


Note that <, is a preorder and we have M’ X; M iff M X; M’. By analogy 
with [6, Theorem 2.20], we have the following immediate observation, which 
additionally holds for multiformulas U (we provide a proof in [14]): 


Lemma 17. Let T and T' be interpretations of a layered sequent G into mod- 
els M and M’ respectively. 


1. Let £ é Lit(G). If (M',Z^) <e (M,T), then M,ZEG implies M',T' EG. 
2. If (M,Z) ~ (M' T^), then MTF G iff M',T' FG. 
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Definition 18 (BLUIP). Logic L is said to have the bisimulation layered- 
sequent uniform interpolation property (BLUIP) iff for every literal £ and every 
L-sequent G, there is a multiformula Ag(G), called BLU interpolant, such that: 


(i) Lit(Ae(Q)) € Lit(@)\{Q} and Lab(A)) € Lab(9); 
(ü) for each interpretation T of G into an L-model M, 


M,T F A(G) implies M,TEG; 


(iii) for each L-model M and interpretation T of G into M, if M,Z ¥ A(G), 
then there is an L-model M’ and interpretation T' of G into M’ such that 


(M',T') <e (M,T) and M',T' FG. 
Lemma 19. The BLUIP for L implies the ULIP for L. 


Proof. Let Vép = Ag(y). We prove the properties of Definition 4. Variable prop- 
erty is immediate. For Property (ii), assume F4. Ae(y) — y. By completeness, 
we have M, p E Alp) and M, p É v for some L-model M with root p. As p is 
the root, it can be considered as an interpretation by Definition 11. By condi- 
tion (ii) from Definition 18 we get a contradiction. For (iii), let 7 be a formula 
such that Z ¢ Lit(w) and suppose F4 v — Alp). So there is an L-model M with 
root p such that M,p E y and Mi, p F Ac(q). Again, p is treated as an inter- 
pretation, and by (iii) from Definition 18, there is an L-model M’ with root p' 
such that (.M', p') <e (M, p) and M’, p’ E y. By Lemma 17, M’, p! E Y, hence 
FL 6 — qv as desired. 


To show that calculus L.K5 enjoys the BLUIP for K5, we need two important 
ingredients: some model modifications that are closed under bisimulation and 
an algorithm to compute uniform Lyndon interpolants. 


Definition 20 (Copying). Let M = (W, R,V) be a K5-model with root p and 
cluster C. Model N” = (W U (we), R',V') is obtained by copying w € C iff 
R= RU ((wcj x C) U (C x {we}) U (o, we) | (p,w) € R} U {(we, We) }, and 
V'(p) = V(p)U(w. | w € V(p) for any p € Pr. Model N” = (W U{we}, R”, V”) 
is obtained by copying w away from the root iff R” = R' \ ((p,w.)). 


Lemma 21. Let model N be obtained by copying a world w from a K5-model M 
(away from the root). Let T: X — M and T': X — N be interpretations such 
that for each x € X, either T(x) = Z'(x) or T(x) = w while Z'(x) = we. Then, 
N is a K5-model and (M,T) ~ (AN ,T!). 


In the construction of interpolants, we use the following rules d; and dd and 
sets Ge and NOG, of formulas from the crown of G: 


Ge={plo:pEeG,cFe} 0G. = {Oy | Oy E Ge} L {Oe | Ov € Ge} 


_Piwlower nor Gl lowe 9, [xl ox e Gi] 
t T G 
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Rule d; shows similarities with rule d; from logics KD5 and KD45, but is only 
applied in the absence of the crown. Rule d; is sound for K5 because it can be 
viewed as a composition of an (admissible) cut on OL and QT in the trunk, 
followed by L1], in the left premise on OL that creates the first crown component 
(though L is dropped from it), which is populated using several -rules for 
Ow € I. The label of this crown component is always el. Rule dd provides 
extra information in the calculation of the uniform interpolant and is needed 
primarily for technical reasons. We highlight the two new sequent components 
created by the last instance of dd using special placeholder labels ed and d for the 
respective brackets. These labels are purely for readability purposes and revert 
to the standard ej and k labels after the next instance of dd. 


Table 4. Recursive construction of A(t, Xe; G) for G that are not K5-saturated. 


G matches Ag(t, Xe; G) equals 
1. GT}, gT 
2. G'{q, a}, o:T 
3. G{pvv} Ac(t, Ses G' {yp V v, 9, p} 
4. Gp ^w] £u Sea G' {yp ^v, p}) © Alt, Ze; G' (p ^ v, v}) 
5. G',Oyp o: &9 Qin.) 
i=l TEG 


where j is the smallest integer such that ej ¢ G and the SCNF 
h 


of Ac(t, T P, [yle;) is © (s : ĝi © Qr : al 
TÉ 


i=l 


h 
6. G’, [Oye O(c: &9 Q ris.) 


TEG 
where j is the smallest integer such that j ¢ G and the SCNF 
h 


of Ae(t, 2:9", (2, Dele; Illl) is © (3 io Or: te): 
7. G', 0p, [E] Ae(t, Sa 6,00, [Z, ¢]) 
8. G', (2, Oy] A(t, 339’, [25 0v, e]) 
9. g^. [2, Oy], (I1) A(t, 339’, (2, Oc]. (IL ¢)) 


To compute a uniform Lyndon interpolant VE for a formula £, we first com- 
pute a BLU interpolant Ae(0, Ø; e) by using the recursive function A¢(t, Xe; G) 
with three parameters we present below. The main parameter is a K5-sequent C, 
while the other two parameters are auxiliary: t € {0,1} is a boolean variable such 
that t = 1 guarantees that rule dd has been applied at least once for the case 
when G contains diamond formulas; Xe C OG, is a set of modal formulas that 
provides a bookkeeping strategy to prevent redundant applications of rule dd. 

To calculate A;(t, Xe; C) our algorithm makes a choice of which row from 
'Table4 to apply by trying each of the following steps in the specified order: 


1. If possible, apply rows 1-2, i.e., stop and return Ag(t, Xe; G) =a: T. 
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2. If some formula p V wv (resp. e A v) from G is not saturated, compute 
Ae(t, Xe; G) according to row 3 (resp. 4) applied to this formula. 

3. If some formula Oy € G is not saturated (resp. Oy € G is not saturated 
w.r.t. c € G), compute A;(t, Xe; G) according to the unique respective row 
among 5-9 applicable to this formula (w.r.t. c). 

4. If Steps 1-3 do not apply, i.e., G is saturated, proceed as follows: 

(a) if G has no O-formulas, stop and return A;(t, Xe; G) = LitDise(G) where 


LtDis() - Q — o: (2) 
ost €g,t/ clit {E} 


(b) else, if G = I consists of the trunk only, apply rule d; as follows: 


A«(t, Mo I) = 


1 


h 
(* : DIL Q9 V (e : 00; Oe: x) O C :OT@ LitDis¢(I°)) (3) 


where the SDNF of A; (o. X4 n|(viowe r3].,) is 


QD (c1: 04:7) (4) 


i= 


(c) else, if t = 1 and OOG,. C Xe, stop and return A;(t, Xe; G) = LitDise(G). 
(d) else, apply the rule dd as follows (where w.l.o.g. el € G): 


h 


Ag(t, X; G) = V (- : 00; © 91: 00; © © T: ar) (5) 
TE 


i= 


where SDNF of A (1,0095; G, [{d | Od € 8Y] a. [HX 10x € Gla) is 


h 


Q («:5o4doQ ris.) (6) 
TEG 


i=l 


The computation of the algorithm can be seen as a proof search tree 
(extended with rules d; and dd). In this proof search, call A(t, Xe; G) is suf- 
ficient (to be a BLU interpolant for G) if each branch going up from it either 
stops in Steps 1 or 4a or continues via Steps 4b or 4d. Otherwise, it is insuffi- 
cient, if one of the branches stops in Step 4c, say, calculating Ag(1, Xe; H). In 
this case, Ag(1, Xe; H) is not generally a BLU interpolant for H, but these leaves 
provide enough information to find a BLU interpolant from some sequent down 
the proof search tree. 


Example 22. Consider the layered sequent G = y for o = pv OO(pVv q). We show 
how to construct A;(0, 2; p) for £ = p. First, we compute the proof search tree 
decorated with (t, X.) to the left of each line, according to the algorithm, using 
the following abbreviations I' = p,p, 0O6(p V q) and X1 = O(pV q), pV q, p, @: 
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(1,{O(PVa@)}) T; [21]. [OPV 4), PV q, p, Meas [lP V a. p, alla 
(Lio6(pva)j) D [2.1 [P V a), PV dea, [lp V a]]a 
(0.0) I:[6(pva).pva pde, 
(0,2) TEV pyd , 
(0, 2) T, [S(p q)]a T, OT 
(0,2) 9,B,O0O(pV q) 
(002) PV OO(pV a) 


H= PP, o(p V q), [Op V q) p V q, P, qe1; [O(pV q) pV q, P, led; [[p V q, P, da in 
the left leaf is a saturated sequent with Q-formulas, crown components, t = 1, 


and OOH. = {O(pV g)} € {O(pV q)) = Xe. Hence, by Step 4c, 


dd 


Ajv(L[Oó(pvq); M) = e:pQel:qQed:qQ d:q. (7) 


Applications of rule V do not change the interpolant (Step 2, row 3). To compute 
Ap(0, Ø; D, [X1].1) for the conclusion of dd, we convert (7) into an SDNF 


(*:»6 A c:T)o Q (r:40 A eT). 
o€{el,ed,d} TE{el,ed,d} o€{e,el,ed,d}\{7} 

Now, by Step (d), and converting into anew SDNF, we get Ap(0, 86; I, [X1).1) = 
(©: (B^0T) Gel: (TAOT)) Q (e: (TAOT) Gel: (q^ OT))O 
(e: (T^0q) 8 81: (T^ 9T)) Q (e: (TA OT) Wel: (T ^ 0q)). 


Further applications of V and t keep this interpolant intact. Note that the 
application of d; does not require to continue proof search for the right branch. 
Instead, Step 4b prescribes that A,(0,2; p,p, O0(p V q)) = (o :pQe: OT)® 


((¢: (p^ 0T AQT AOT)) @ (e: (TAOTAO(GAOT))) © 
(e: (TAQGAO(TAOT))) O (e: (TAOTAO(TAQQ))) Qe: L). 


Simplifying, we finally obtain 


A,(0,2;y) =e: (pvo T) A ((p^O T) V õqv qv Ul )) =e: (pV 0q). (8) 


To check that p V Qq is a uniform Lyndon interpolant for y w.r.t. literal p, 
it is sufficient to verify that (8) is a BLU interpolant for G by checking the 
conditions in Definition 18. We only check BLUIP(iii) as the least trivial. If 
M,T Fe: (p V OOq) for an interpretation Z into a K5-model M = (W, R,V), 
then, by Definitions 14 and 11, M, pF PV Qq for the root p of M. For £ = p, we 
have an £-bisimulation (.M', T) <e (M,Z) for M’ = (W, R, V") with V'(p) = {p} 
and V'(r) = V(r) for r Z p since literals, allows to turn p from true to false. 
It is easy to see that M, pF p V OO(pV q). Thus, M',Z Fe: q. 


We have the following properties of the algorithm (we provide a proof in 
[14]. 
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Lemma 23. All recursive calls A(t, Xe; G) in a proof search tree of Ae(0, Ø; p) 
have the following properties: 


1. 


The algorithm is terminating. 


2. When Step 4b is applied, t — 0 and every branch going up from it consists of 


Steps 2-3 followed by either final Step 1 or continuation via Step 4d. 


. After Step 4d is applied, every branch going up from it consists of Steps 2 


followed by a call Aj(1, 09G; G, [O].«, [[$]]a) of one of the following types: 

(a) sufficient and final when calculated via Step 1; 

(b) sufficient and propositionally saturated when calculated via Step 3, with 
every branch going up from there consisting of more Steps 2-3, followed 
by either final Step 1 or continuation via Step 4d; 

(c) insufficient and saturated when calculated via Step 4c. 


Theorem 24. Logic K5 has the BLUIP and, hence, the ULIP. 


Proof. It is sufficient to prove that, once the algorithm starts on A;(0, 2; v), then 
every sufficient call A;(t, Xe; G) in the proof search returns a BLU interpolant 
for a K5-sequent G. Because the induction on the proof-search is quite technical 
and involves multiple cases, we demonstrate only a few representative cases and 
omitting simple ones, e.g., BLUIP(i), altogether. We present more cases in the 
Appendix of [14]. 


BLUIP(ii) We show that M,Z F A(t, Xe; G) implies M,Z F G for any 


interpretation Z of G into any K5-model M = (W,R,V). The hardest 
among Steps 1-3 is Step 3 using row 5 in Table4. Let G = G’,Oy and 
M,T = A«(t, Xag’, p) for 


h 
MS. Gog = O (+: 5e Drine), (9) 
TE 


i=l 


i.e., for each 1 <i < h either M, p F Oô; or M,T(T) F Yi, for some T € G. 
For an arbitrary v such that pRv and the the smallest j such that ej ¢ G, 
clearly Z, = ZU ((ej, v)) is an interpretation of G’, Oy, [y].; into M. Since 
M,T,(ej) F 9; whenever M,p = L3ó;, it follows that for each 1 € à < h 
either M, Z,(ej) E 9; or M,Z,(r) E Yi for some 7 € G, i.e, M,Z, F 
Arlt, Sa G', Oy, [y]e;) for 


h 
(s : 0; Q Q T: Z ; (10) 

EN TEG 

By IH, M,Z, F G’, Oy, [y]e; whenever pRv. If M, p yp, then M,Z E G. 

Otherwise, Mt, Z,(ej) É p for some v with pRv. For it, M,Z, E G’, hence, 

M,IF Gg. 

The only other case we consider (here) is Step 4d. Let M,Z F Ag(t, X; C) 


for A(t, Xe; G) from (5), i.e., for some 1 < i € h we have M, p F O6;, and 
M, (el) E 057, and M,Z(r) F yi,- for all r € G. In particular, M, v E 6; for 


Ap (t, dic} Gg’, Q, [vle;) = 


7 


TT 
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some pRv and M,u E à; for some Z(el) Ru. Let M’ be obtained by copying 
u into u’ away from the root in M and let J = T U {(ed,v), (d,u’)} be a 
well-defined interpretation. M’, 7 = Ap(1,00G.;G, [{w | Ow € Ghea, [Ex | 
Ox € Ge}lla), as (6) is true for M’ and J. By IH, M’,7 F G,[{w | Ow € 
Ga HX | Ox € Ge}]]a- If M',v E v for some Oy € G or M’,u’ F x for 
some Oy € Ge, then M’, J E G because of O1» or Ox respectively. Otherwise, 
also M’, J F G. Since we have (M,Z) ~ (M',.7) by Lemma 21, we have 
M,Z F G by Lemma 17(2) in all cases. 

BLUIP(iii) We show the following statement by induction restricted to suffi- 
cient calls: if M,Z F A(t, Xe; G), then M’, 7’ É G for some interpretation J” 
of G into another K5-model M’ such that (M, 7’) <e (M,Z). Here we only 
consider Step 4 as the other steps are sufficiently similar to K and S5 cov- 
ered in [12, 13]. Among the four subcases, Step 4a is tedious but conceptually 
transparent. Step 4c is trivial because the induction statement is only for suf- 
ficient calls while Step 4c calls are insufficient by Lemma 23. Out of remaining 
two steps we only have space for Step 4d, which is conceptually the most 
interesting because its recursive call may be insufficient, precluding the use 
of IH for it. Let M,T É A(t, Xe; G) for Ae(t, Xe; G) from (5). 

We first modify M and Z to obtain an injective interpretation Z’ into a 
K5-model N’ = (W', R', V^) such that W'N Range(Z’) is not empty and parti- 
tioned into pairs (v, u) with Z'(e) Rv and not Z'(e) Ru. To this end we employ 
copying as per Definition 20, constructing a sequence of interpretations T; 
from G into models M; = (W;, Ri, Vi) starting from o = M and Zo = Z as 
follows: 

1. If Z;(r3) = Zi(72) for 1 Æ 7», obtain Nj41 by copying Z;(72) to a new 
world w and redirect r9 to this new world, i.e., Z;41 = Z; U {(72, w)} N 
{(T2,Zi(72))}- 

2. If Zg is injective but Wg—1 \ Range(Zx_1) = Ø, obtain Nx by copying 
Zy.j(el)to a new world y. Set Tg = Tg. Now Wx \ Range(Zx) # Ø. 

3. Finally, define the two sets Y = (y € Wx \ Range(Zx) | Zk(e) Ry) and 
Z = {z € We N Range(Zx) | not Zg(e) Rz) and obtain N” by copying: 

— for each y € Y, copy Tx (el) away from the root to a new world y»; 
— for each z € Z, copy Zx(el) to a new world 21. 

Then Z’ = Tx is an injective interpretation of G into A". 

Note that W’\ Range(Z’) = YUZU {y2 | ye Y}U{a | z E€ Z} z Ø. Further, 
T'(e)R'y for all y € Y, and not Z'(e) Ryo for all y € Y, and Z'(e) zi for 
all z € Z, and not Z'(e) Rz for all z € Z. Thus, we obtain the requisite 
partition P = {(y,y2) | y € YU ((z1,2) | z € Z} z Ø of the non-empty 
W' \ Range(Z’). 

It is clear that (N’,Z’) ~ (M,Z). So N’, TZ’ F A(t, X; G) by Lemma 17, 
i.e., for each 1 < i € h we have N’, p É 06; for p = Z'(e), or N’,T'(01) É O06), 
or N’,Z'(r) É Ji- for some T € G. Thus, for any (v,u) € P and each 1 < 
i € h, we have N',v É ôi, or N',u E 64, or N',T'(T) É yi, for some T € G. 
Hence, (6) is false under injective interpretation Jy», = Z' U ((ed, v), (d, u)} 
into N”, i.e., abbreviating O = (v | Óv € G} and 6 = {x | Ox € Ge}, we get 
N”, Ju K Ag(1, OGe; G, (Olea, [[$]]4). 
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Ordinarily, here we would use IH, but this is only possible for sufficient 
calls, which, alas, is not guaranteed for (6). What is known by Lemma 23(3) 
is that every branch going up from (6) leads to a call of the form 


Ac(1,00G.; G, [Ojlea; [[9;]]a), (11) 


where O; 2 O and 9; D 4$, that returns multiformula U; and is either 
sufficient or insufficient but saturated. Let = denote the multiset of these 
multiformulas U; returned by all these calls. Since Step 2 is the only one used 
between that call and all the calls comprising (11), it is clear that (6) is their 
conjunction, i.e., Ac(1, 00G.; G, [O].a, [[]]a) = (sez O;. Collecting all this 
together, we conclude that for each pair (v, u) € P there is some Usu € E 
such that 


N”, Fou E Ov. (12) 


We distinguish between two cases. First, suppose for at least one pair (v, u) € 
P there is a sufficient Uy u = Ac(1, O0Ge; G, [Ov ued; [[Pu,u]]a) satisfying (12). 
By IH for this Oy, there is an interpretation Jg into a K5-model M’ such that 
(M', T) Se (N', Tou) and M’, TG E G, [Ov uloa; [[Puulla. Thus, M", 7’ É G 
for J’ = Jj | Lab(G). Finally, by restricting to labels of C, we can see that 


DM) <e WT) ~ (M,T). (13) 


Otherwise, (12) does not hold for any pair (v,u) € P and any sufficient 
Ov,u € E. In this case, N', Jout OR U; guarantees the existence of an 
insufficient Usu € £ for each pair (v,u) € P such that (12) holds. Since all 
these Uy „ are insufficient, we cannot use IH. Instead, we construct M’ and J’ 
directly by changing £ from true to false if needed based on G within Range(Z’) 
and based on U, „’s outside of this range. Thanks to Z’ being injective, we do 
not need to worry about conflicting requirements from different components 
of G. Similarly, P being a partition prevents conflicts outside Range(Z’). Let 
M' = (W', R',U') be N” with V’ changed into U’. We define V’|,T as the 
valuation that makes £ false in all worlds from T C W’, i.e., (V'L,T)(q) = 
V'(q) for all q € {£,£}, while 


(V'LDg) = e F 


for p € {0,0}. Using this notation, we define U’ = V'|,Tg where 


Tg = (1'(c) | o : L€ G}U {v | (v,u) € P and ed: £E Usu} 
{u | (v, u) € P and d : £ € Usu}. 
(14) 


Finally, J’ = Z'. It is clear that (13) holds for these M’ and 7’. 
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It remains to show that M’, J’ ¥ G. This is done by mutual induction on the 
construction of formula y for the following three induction statements 


0:9 EG —.M',T'(a)E v, (15) 
ed: 9 € Uru => M',vE p, (16) 
d: 9 € Uv u => M uF g. (17) 


Case o = ¥ € Lit V {4,8}. By Lemma 23(3), all O,,, are computed by 
Step 4c due to their insufficiency, i.e., Uy u = LitDise(G, [Ov ulea; [[Pv u]]a). 
(16) and (17) follow from (12) and (2) because M’ agrees with M’ on 
/ ¢ {4,0}. Similarly, since Jv u agrees with J’ = T' on Lab(G), (15) 
follows by using Uy, for any (v, u) € P # Ø. 

Case o = ( is analogous to the previous one. The only difference is the 
reason why M’ agrees with N” on £. Here, o : ( € G implies o :  $ G 
because G was processed by Step 4d not Step 1. Therefore, Z'(c) ¢ Tg 
by the injectivity of Z’, and @ was not made true in Z'(c), ensuring (15). 
The argument for (16) and (17) is similar, except ed/d : Z is taken from 
Ov,u processed by Step 4c not Step 1. 

Case y = f. All of (15)-(17) follow from (14). 

Cases y = 91 ^ 9» and y = yı V q» are standard and follow by IH due to 
saturation of G for (15) and O,,, for (16) and (17). 

Case o = LE. If o : OE € G, then by saturation of G, there is a 7 such that 

T:É € G and Z'(c) R'T'(r): if c = e, then T = ej for some j, while if 
o £ e, then 7 £ e. By IH(15), M’ pe ) Æ £, and M',T' (o) FOE. 
If ed/d : OE € O,,,, then HE € LOG. by conditions of Step 4c due to (11), 
i.e., OE € Ge. By saturation of G, there is a T Z e such that 7 : £ € G. 
Since v, u, and Z'(7) are all in the cluster C of M’, we have vR'Z'(T) and 
uR’T'(r). It remains to use IH(16) and IH(17). 

Case y = Q£. First consider c = è and e : QE € G. Since Z'(e) = pis the root, 
pR'w implies either w = Z'(ej) for some j or w ¢ Range(Z’). In the former 
case, ej : € € G by saturation of G, so M’, w ¥ € by IH(15). In the latter 
case, (w,u) € P for some u. Recall for A;(1,L108.; G, [Ow ulead; [Pw ula) 
that we have Owu 2 O = (v | Ow € G} 2 £. Hence, ed : € € Uw», and 
M',w ¥ € by IH(16). Since M’, w ¥ £ for all Z'(e) = pR'w, we conclude 
M', T (e) É QE. 

If c Z e and o : QE € G, the argument is similar. But additionally we 
may have w = Z'(k) for some k or (v, w) € P for some v. In the former 
case, k : € € G by saturation of G, so M’,w É € by IH(15). In the latter 
case, Py w 2 B = (x | Ox € Ge} 2 E. Hence, d: £ € Uv w and M', w K E 
by IH(17). Since M’, w E € for all Z'(c) R’w, we conclude M',Z'(a) E QE. 

If ed/d : QE € O,,,, then, similar to the analogous subcase of LE, 
conditions of Step 4c imply that Q£ € Ge, i.e., To : QE € G for some To Z e. 
Then 7 : € € Q for all r Z e by saturation of G. Thus, M’,Z’(r) E € for 
all r Æ e by IH(15). For each y ¢ Range(Z^) such that pR’y, there is x 
such that (y,z) € P and ed: £ € Uy, because Oys 2 O 3 £. Hence, 
M', y Æ £ by IH(16). Finally, for each x ¢ Range(Z’) such that not pR'zx, 
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there is y such that (y,z) € P and d : £ € Uy, because Pyrs 2 P 5 €. 
Hence, M’, x ¥ € by IH(17). We have shown that M’,w ¥ € whenever 
vR'w (uR'w). Thus, M',v É O€ and M’, uF QE. 


5 Conclusion 


We presented layered sequent calculi for several extensions of modal logic K5: 
namely, K5 itself, KD5, K45, KD45, KB5, and S5. By leveraging the simplicity 
of Kripke models for these logics, we were able to formulate these calculi in a 
modular way and obtain optimal complexity upper bounds for proof search. We 
used the calculus for K5 to obtain the first syntactic (and, hence, constructive) 
proof of the uniform Lyndon interpolation property for K5. 

Due to the proof being technically involved, space considerations prevented 
us from extending the syntactic proof of ULIP to KD5, K45, KD45, KB5, and S5. 
For S5, layered sequents coincide with hypersequents, and we plan to upgrade the 
hypersequent-based syntactic proof of UIP from [11] to ULIP (see also [13]). As 
for KD5, K45, KD45, and KB5, the idea is to modify the method presented here 
for K5 by using the layered sequent calculus for the respective logic and making 
other necessary modifications, e.g., to rule dd, to fit the specific structure of the 
layers. We conjecture that the proof for K45, KD45, and KB5 would be similar 
to that for S5, whereas KD5 would more closely resemble K5. 


Acknowledgments. Iris van der Giessen and Raheleh Jalali are grateful for the pro- 
ductive and exciting four-week research visit to the Embedded Computing Systems 
Group at TU Wien. The authors thank the anonymous reviewers for their useful com- 
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Abstract. A variety of intuitionistic versions of modal logic K have 
been proposed in the literature. An apparent misconception is that all 
these logics coincide on their Ll-only (or ¢-free) fragment, suggesting 
some robustness of ‘L-only intuitionistic modal logic’. However in this 
work we show that this is not true, by consideration of negative transla- 
tions from classical modal logic: Fischer Servi’s IK proves strictly more 
O-free theorems than Fitch's CK, and indeed iK, the minimal L1-normal 
intuitionistic modal logic. 

On the other hand we show that the smallest extension of iK by a 
normal © is in fact conservative over iK (over -free formulas). To this 
end, we develop a novel proof calculus based on nested sequents for intu- 
itionistic propositional logic due to Fitting. Along the way we establish 
a number of new metalogical results. 


Keywords: Modal logic - Intuitionistic logic - Negative translation - 
Proof theory * Nested sequents - Cut-elimination 


1 Introduction 


Usual (propositional) modal logic extends the language of classical propositional 
logic (CPL) by two modalities, O and Q, informally representing ‘necessity’ and 
‘possibility’, resp. This informality is made precise by relational semantics. This 
semantics gives rise to the ‘standard translation’, allowing us to distill the normal 
modal logic K as a well-behaved fragment of the first-order logic (FOL). 
Notably, over classical logic, O and 9 are De Morgan dual, just like V and 
J: we have QA = ~OA. However, in light of the association with FOL, one 
would naturally expect an intuitionistic counterpart of modal logic not to satisfy 
any such reduction. The pursuit of a reasonable definition for an ‘intuitionistic’ 
modal logic goes back decades, including works such as [7—9,14] as early as 
the 1950s-60s, more developments [13,25,29,32] in the 1970s, and a growing 
interest [6,12,17,26,28,30,31,34,35] in the 1980s. See [33] or [20] for a survey. 
The smallest such logic that is typically considered is iK, obtained by sim- 
ply extending intuitionistic propositional logic (IPL) by the axiom kı and rules 
mp,nec from Fig.1, but not including any axioms involving Q, e.g. [6,36]. It 
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ki: O(A > B) > (OA > OB) A 
ka : D(A > B) 2 (OA > OB) ndo 
k3 : O(A V B) > (OAV OB) 

ka : (OA > BB) > O(A > B) pos 
ks: OLOL B 


Fig. 1. Axioms and rules for intuitionistic modal logics. 


seems that Fitch [14] was the first one to propose a way to treat > in an intu- 
itionistic setting by considering a version of CK, extending iK with ko. CK 
enjoys a rather natural proof-theoretic formulation [35] that simply adapts the 
sequent calculus for K according to the usual intuitionistic restriction: each 
sequent may have just one formula on the RHS. What is more, cut-elimination 
for this simple calculus is just a specialisation of the classical case. 

IK, which includes all axioms and rules in Fig.1, was introduced by [28] 
and is equivalent to the logic proposed by [31], or even to [12] in the context of 
intuitionistic tense logic. In [33] Simpson gives logical arguments in favour of IK, 
namely as a logic that corresponds to intuitionistic FOL along the same standard 
translation that lifts K to classical FOL. The price to pay, however, is steep: 
there is no known cut-free sequent calculus complete for IK. On the other hand, 
Simpson demonstrates how the relational semantics of classical modal logic may 
be leveraged to recover a labelled sequent calculus. The cut-elimination theorem, 
this time, specialises the cut-elimination theorem for intuitionistic FOL. 


Contribution. An apparently widespread perception about intuitionistic modal 
logics is that 4K and IK (and so all logics in between) coincide on their ‘O-only’ 
(i.e. O-free) fragments. We show that this is not true by giving an explicit sep- 
aration of IK from iK (also CK) by a O-free formula, and go on to initiate a 
comparison of the various logics by their O-free fragments. For the first sepa- 
ration, we show IK validates a form of Gódel-Gentzen translation from K, but 
that CK does not; the simplest such separation arising from this is given by 
LLL — OL. An important question at this point is whether it is even possible 
to conservatively extend iK by a normal 0, i.e. is CK + k3 + ks O-free conserva- 
tive over CK? We answer this positively by designing a new system for the logic 
based on Fitting's nested sequents for JPL [16] and proving a cut-elimination 
result. Our results are summarised in Fig. 2. 

Some of the ideas behind this work were announced and discussed on The 
Proof Theory Blog in 2022 [11] (but have not been peer-reviewed before). We 
shall reference that discussion further in Sect. 4. 


2 Preliminaries 


Let us fix a countable set of propositional variables, written p,q etc. When work- 
ing in predicate logic, we shall simultaneously construe these as unary predicate 
symbols, and further fix a (infix) binary relation symbol R. 


On Intuitionistic Diamonds (and Lack Thereof) 285 


CK + ka + ks 


CK + k4 + ks 


Fig. 2. Comparison of -free fragments. Solid arrows denote inclusion, dashed arrows 
denote non-inclusion. All new results of this work are in red, where faded arrows are 
consequences of the non-faded ones. The dotted blue ? arrow is apparently open. (Color 
figure online) 


Throughout this paper we shall work with (modal propositional) formulas, 
written A, B etc., generated by: 


A z2 lL | p | (AVB) | (AAB) | (ASB) | OA | HA 


We may write ~A :— A — L, and frequently omit brackets to aid legibility when 
it is unambiguous. We write, say, A —^ B —^ C for A— (B — C). 

Due to space constraints, we shall not cover any formal semantics in this 
work; however it is insightful to recall how modal formulas may be viewed as 
a fragment of first-order predicate logic. The standard translation is a certain 
action of modal formulas on first-order variables given by a predicate formula: 


Definition 1 (Standard translation). For modal formulas A we define the 
predicate formula A(x) by: 


ELE EET 
put x) :—  dy(xHy^A(y 
PRESA = 2d (LA)(z) := Vy(xRy  A(y)) 


For the reader familiar with the usual relational semantics of modal logic, 
note that the formula A(x) simply describes the evaluation of the modal formula 
A at a ‘world’ x, within predicate logic. From this point of view we have: 


Definition 2. K is the set of modal formulas A s.t. A(x) is classically valid. 


2.1 Some Axiomatisations and Characterisations 


The intuitionistic modal logics we consider will always be extensions of intuition- 
istic propositional logic (IPL) by some of the axioms and rules in Fig. 1. Let us 
first point out the following well-known axiomatisation: 
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Proposition 3 (see, e.g., [4,5]). The O-free fragment of K is axiomatised by 
classical propositional logic (CPL), kı, mp and nec. 


In classical modal logic it suffices at this point to set QA — ~OA in order to 
recover the full axiomatisation of K, but this will not (in general) be the case 
for intuitionistic modal logics we are concerned with. 


D-—A D-—A T,A=> B 
“ASA “PPSA ~~ LSA "OFPSDA °OROASOB 
PASC nBCc T, A: > B DA I,B3C 
“'PAVBSC “TAAL Se ^  LTASESC 
>A; IA DB I,A=>B 
P= AV “" TSAAB "PSASB 


Fig. 3. The cut-free sequent calculus LCK, obtained from the calculus for K by requir- 
ing exactly one formula on the RHS. 


Definition 4. We define the following intuitionistic modal logics: 


— iK extends IPL by kj and is closed under mp and nec; 
- CK extends IPL by kı, k2 and is closed under mp and nec; 
— IK extends IPL by all the axioms ki-ka and is closed under mp and nec. 


iK was studied in, e.g., [6] and [36]. The logic CK + ks was considered in [35], 
while the restriction to CK itself was given a categorical treatment in [3] and 
further in [23]. IK was first defined in [30] and [28], and investigated in details 
in [33]. Note that it is clear from the definitions that iK C CK C IK. 

Since we do not work with formal semantics, we shall introduce certain proof 
theoretic characterisations of the logics above in order to more easily reason 
about (non-)provability. At the same time, these characterisations will expose 
some naturality underlying the logics iK, CK and IK. 

First, let us point out that classical modal logic K has a simple sequent 
calculus, extending the usual propositional fragment of Gentzen's LK by the 
modal rules (see, e.g., [15]): 


T, A> A r= A^,A 
T,9A = 0A r => 94,0A 


o 


Here I’ and A are sets of formulas (cedents) and — is just a syntactic delimiter. 
A sequent I = A is understood logically as A I —^ V A, its formula translation. 
Note in particular here the symmetry of the two rules, underpinned by the De 
Morgan duality between Q and [O in classical modal logic. 

The characteristic property of the logic CK is that it is obtained from the 
sequent calculus for K by imposing the usual intuitionistic restriction: each 
sequent must have exactly one formula on the RHS. Formally, writing LCK for 
the (cut-free) sequent calculus given in Fig.3, we have the well-known result: 
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Theorem 5 (e.g., implied by [35]). LCK is sound and complete for CK. 


This has an entirely syntactic proof, simulating the axiomatisation of CK using 
a ‘cut’ rule and proving cut-elimination (for the completeness direction). An 
immediate (and well-known) consequence of this result is the following, justifying 
the leftmost node of Fig. 2: 


Corollary 6. CK is conservative over iK, over O-free formulas. 


Proof (idea). By the subformula property of LCK only O-free formulas appear 
in any proof with -free conclusion. It is easily verified that any inference step 
whose premisses and conclusion are Q-free are already derivable in ik. 


Let us now turn to IK. One of the principal motivations behind IK is its 
compatibility with the standard translation, analogous to classical K: 


Theorem 7 (Intuitionistic standard translation, [33]). IK is the set of 
modal formulas whose standard translations are intuitionistically valid. 


This result corresponds to Simpson's ‘Requirement 6’ in his PhD thesis [33]. Note 
here the analogy to K’s relationship with classical predicate logic, cf. Definition 2. 
'The proof of the above theorem is a priori nontrivial and is beyond the scope of 
this work. Importantly, this result induces a proof-theoretic characterisation of 
IK similar to that of CK, only beginning from a different underlying calculus. 
Namely, IK can be obtained from the ‘labelled’ calculus for K (e.g. [24]) by 
requiring that each sequent has exactly one formula on the RHS. 


Remark 8. Before closing this section it is worthwhile to mention that several 
other logics intermediate to CK and IK have been studied. One notable choice 
is Wijesekara’s CK + ks, sometimes called WK (e.g. in [10]). Wijesekera used a 
minor adaptation of LCK to allow empty RHS (as well as singleton), resulting in 
a calculus that is sound and (cut-free) complete for WK [35]. We shall return to 
this idea later but for now let us point out that a similar argument to Corollary 6 
above indeed shows that even WK is Ó-free conservative over iK. This will be 
subsumed by our later result for CK + ka + ks. 


3 Separating CK and IK over the Q-Free Fragment 


In this section we shall justify the main subject matter of this work: the compar- 
ison of -free fragments of intuitionistic modal logics. That such an investigation 
is even nontrivial is surprising: for decades now numerous papers have claimed 
that iK,CK,IK all coincide on their Q-free fragments.! In this section we show 
that this is not the case. 


! [t is not the purpose of this paper to enumerate all such cases in the literature (nor 
do we believe it is fruitful to do so), but we point the reader to the blog post [11] 
for more background underlying this perception. 
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3.1 The Gódel-Gentzen Negative Translation 


Gódel and Gentzen (independently) introduced certain double negation trans- 
lations for embedding classical first-order predicate logic into its intuitionistic 
counterpart [18,19]. Inspired by the ‘standard translation’ of Definition 1, we 
duly adapt this translation to the language of modal logic: 


Definition 9 (Gódel-Gentzen negative translation). For each modal for- 
mula A we define another modal formula AN as follows: 


Nw 
es (A— B)N := AN S BN 


(AK HR) := AN A BN i 


Note that the image of -N is (v, O]-free: it is formed from only the ‘negative’ 
connectives L, ^, —, O. For the reader familiar with the usual Gódel-Gentzen 
translation - on first-order predicate formulas, note that our translation above 
is justified by the standard translation from Definition 1: A (a) is the same 
as A(x)‘, up to double negations in front of atomic relational formulas xRy. 
Nonetheless due to this slight difference, and for self-containment of the exposi- 
tion, we better give the necessary characterisations explicitly. 


3.2 IK Validates Gódel-Gentzen 


Lemma 10 (Negativity). IK proves the following: 


34 — AA (A > B) + 52A > 4B =7HA — O~ A 


Proof. The non-modal cases are already theorems of IPL, so it remains to check 
the final [O case: 


À — A IPL 
(A — 2234) necessitation 
A  [D--A by ky 
A—O0-2A—9L by kə 
A — 202A by ks 
—HA — 202A < -0A > ~OA 
~-0A — 02A — OL by ex falso quodlibet, L — O14 
AHA — O-7A by k4 


Let us point out that k3 was not used in the argument above. We shall keep 
track of k3 (non-)use during this section and state stronger results later. From 
here by structural induction on formulas, using the above Lemma, we have: 
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Lemma 11 (Double-negation elimination). IK - ~~A — AN. 
Theorem 12. If K+ A then IK + AN. 


Proof (sketch). Referring to Proposition 3, simply take an axiomatic K proof 
of A and replace every formula by its image under -". Any non-constructive 
reasoning is justified by appealing to Lemma 11 above.? 


Let us point out that no modal reasoning was used to justify Lemma 11 and 
'Theorem 12, further to what we used for Lemma 10. Thus it is immediate that 
CK + k4 + kg also validates the Gódel-Gentzen translation: 


Corollary 13. If K + A then CK + ka + ks - AN. 


Example 14. Instantiating the L-case of the proof of Lemma 10 by A = L, and 
since IPLA- ^51 — L, we have that CK + k4 + ks F 22U01L — OL. 


3.3 CK Does not validate Gódel-Gentzen 


On the other hand, it is easy to show that CK does not validate the Gédel- 
Gentzen translation. In particular the simplest such separation is given by: 


Proposition 15. CK 7 4L1L — OL. 


Proof. By case analysis on cut-free bottom-up proof search in LCK. The only 
applicable rule is — -r, requiring us to prove 5-L11 => OL. At this stage there 
are two possible choices: 


— weaken —-LlL on the LHS: this would require us to prove > , which is 
not even classically valid. 

— apply — -l on ~~O. on the LHS: this requires us to prove > ~O (the left 
premiss) which is, again, not even classically valid. 


Recalling Lemma 10 for IK, what breaks down here for CK is the negativity 
of the O, ie. a4L1A — L1—5-24A. Its underivability in CK is immediate from 
Proposition 15 above, cf. Example 14. In particular we have: 


Corollary 16. CK + k4 + ks (and so also IK ) proves strictly more O-free the- 
orems than CK (and so also iK ). 


? Note that a common axiomatisation of CPL simply extends IPL by 45A — A. 
3 Recall that ~A := A — L. 
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4 Perspectives 


4.1 On Other Separations and -Free Axiomatisations 


Despite the separation in the preceding section, iK and CK are known to val- 
idate some other double-negation translations, see e.g. [22]. Of course none of 
these translations rely on negativity of the O, i.e. 2—L1A — L1^5-A. Our sepa- 
ration was announced (but not peer-review published) in a post on The Proof 
Theory Blog in August 2022 [11]. The discussion therein covered several other 
separating formulas too. In particular, Alex Simpson reported such a separation 
C = -0L — OL) — OL privately communicated to him in 1996 by Carsten 
Grefe. Let us point out that this latter separation is already a consequence of 
Proposition 15, as even IPL already proves C — ^41 — : it is an instance 
of the IPL theorem ((2A —> A) > A) > ~-A > A by A= 0L. 

In the same discussion it was mentioned that the -free fragment of IK was 
not finitely -free axiomatisable. We could not find this result in the literature, 
nor could we easily verify it independently. While its status is beyond the scope 
of this work, let us make an observation: 


Proposition 17. We have: 


1. The O-free fragment of CK + k4 + ks is finitely O-free axiomatised. 
2. The (V, O]-free fragment of IK is finitely (V, O1 -free axiomatised and coin- 
cides with that of CK + k4 + ks. 


Proof (sketch). Replacing O- by ^D: and - V: by a=(—-A--) in the axioms k-ks 
yields theorems of CK + k4 + ks. Both results follow from here by carrying out 
the same replacement everywhere in an axiomatic proof, construing the modified 
versions of k;-ks as the underlying axiomatisation. 


Note that an immediate consequence of the result above is that, if indeed the 
O-free fragment of IK is not finitely axiomatised, then it is separated from the 
O-free fragment of CK + k4 + k5, and any such separation must make crucial use 
of V, cf. the blue arrow in Fig. 2. 


4.2 On -Normality and the Problem of CK + ka + ks 


The -free separation of iK and IK forces us to question some of the ‘canonical’ 
aspects of 'Ll-only intuitionistic modal logic’ iK. Above all, it is not clear whether 
fixing iK (or the O-free fragment of CK) forces, say, abnormality of the Q; 
equivalently, does normality of the Q, i.e. k3 + ks, force more Q-free theorems 
over iK (or CK)? Let us point out that in the post [11] there was significant 
discussion about the status of CK + k3 + ks, with no definitive resolution about 
its O-free fragment with respect to ik, CK, IK. The remainder of this paper is 
devoted to a resolution of this question; namely, CK + k3 + ks is indeed O-free 
conservative over iK, cf. Fig. 2. 

Before turning to that, let us briefly discuss why the status of CK + ks + 
ks is somewhat nontrivial. Recalling Remark 8, it would be natural to further 
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generalise the calculus LCK to a ‘multi-succedent’ version, allowing any number 
of formulas on the RHS, not just 1 (or 0 for WK). The RHS singleton restriction 
now only applies to the [] and — -r rules. The idea is that, while 0 formulas 
on the RHS corresponds to ks, many could correspond to k3. Indeed this seems 
promising in light of the following (cut-free) multi-succedent proofs of those 
axioms: 


UM EB > A,B "nes 

UNE | UAV B) = 04,0B hs: SIS 
O(AV B) > OAVOB LL 
"(AV B) 5 (OAV OB) TTE Oodle 


The calculus is hence readily seen to be sound for CK + k3 + ks. However it does 
not enjoy cut-elimination, due to issues with commutative cases arising from the 
single succedent restriction on the O rule and the — -r rule. In particular, while 
CK + kz + ks F O(AV (B 2 C)) 5 (OAV (OB = 0C)), e.g. by the proof, 


i 


d id 
B>B C> C 


“I>A BSCS PSO ar =o ss 
o 
AV(B>C)SA BOC 0(B > C,BB > 0€ 
o T 
O(A v (B => €) > 04,0(B > C) 0(B > C) = BB > 0C 


cut 


O(A V (B > C) => 9A, OB — 0C 


note that it has no cut-free such proof, by consideration of rule applications. 


5 Nested Sequent Calculus for CK + ks + ks 


In this section we will introduce a nested sequent calculus nJo g for CK + k3 +ks, 
by extending Fitting’s calculus for IPL [16] by natural modal rules. We prove 
a cut-elimination result for nJo m, which will imply the O-free conservativity of 
CK +k3+ks over CK. We shall mostly follow the notation employed by Fitting, 
but deviate in minor conventions to facilitate our ultimate cut-elimination result. 
All results are self-contained. 

A (nested) sequent, written S etc., is an expression = X where I is a set of 
formulas and X is a set of formulas and nested sequents. We interpret sequents 
by a formula translation: fm( > A,X) :=  ADT—(VAV Vsex fm(S)). 

A (nested sequent) context, written S|], is defined as expected. Note that it 
is implicit in this notation that the context hole must only occur where a nested 
sequent may be placed to produce a correct nested sequent, i.e., for S[] a context 
and S" a nested sequent, S[S"] is always a nested sequent. 


Example 18 (Contexts). A => B,(C, D => E,|]) is a context, but A,[] > B,C 
and A => B,(C,[] = D) are not. 
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We may also write contexts for sets (of nested sequents and formulas), e.g. 
X[], etc., where again X [S] must always be a correct set of nested sequents and 
formulas. A consequence of the definition of nested sequent is that we can safely 
substitute sets in place of context hole, i.e. if Y is a set of nested sequents and 
formulas then (X[Y] and) S[Y] is a (set of) nested sequent(s and formulas). 


5.1 System nJo, 


The system nJ is given by the structural rules and (left and right) logical rules 
from Fig. 4. It is equivalent to the nested calculus given by Fitting in [16], but 
we shall not use this fact: its soundness and completeness for IPL will be a 
consequence of later results. To define its extension by modalities, we must first 
generalise the usual notion of a modality distributing over a sequent: 


Structural rules 


SIP > X] sir => X] 


id w-l w-r 
SIT, A> x[A] — S[ Ao X] S[r > x, 8" 


S|[r > X[4, XvY|| S[2 X] 
SIPASxX[ZSY] SIX] 


Left logical rules 


S[T,A = X] S[T,B = X] 
l 


L-l x 
ST, L> X] ~“ SI, AVB = X] 
SII, A, B 5 X] SII, A >B => X,A] SI, Bo X] 
^-l -l 
SI, AAB= X] ST,A>B>X 


Right logical rules 


S| = X, A, B] S| > X, A] SI^ x,B] S|[r => X, (A > BJ 
Ar -r 
S| > X, AV B] Si > X, A^ B] S|[r > X, A > B] 


V-r 


Modal rules 

Sil, A => X] SI => A 
[m] 

S?*[DI, oA > X°] S° [0r A] 


S is right-,-free 


Fig. 4. System nJo. n. 


Definition 19 (Promotion). For sets X define X? by: 


g?^:—8 A? :— 0A (X,Y)? XS y? (l-—X)p: Dx? 


For (set-)contexts X|], we define X°|] the same way and by setting [|° := |]. 
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Remark 20 (Promotion and O-normality). The intention is that X? is a conse- 
quence of Ofm(X). The Ø case is justified by ks, while the ‘,’ case is justified 
by kg. The ‘=’ case is justified by the ‘Fischer Servi’ property: Q(A — B) > 
A — OB. This is a consequence already of CK: 


IPL = 
A—B,A—B 


O(A > B), OA => OB 
=> (A > B) => ODA > OB 


o 


A right-, is a comma ‘,’ on the RHS of some — (immediately, not hereditar- 
ily). A sequent (or context) is right-,-free if it has no right-,. 


Definition 21. The system nJọ g consists of all the rules in Fig. 4. 


Example 22. Recall the formula Q(A v (B ^ C)) — (OAV (OB — 0C)) from 
Subsect. 4.2, which is a consequence of CK + k3 + ks but has no cut-free proof 
in the *multi-succedent' version of LCK. We here give a nJo g proof of it: 


A(BSoGBSOGB) -334,(C,B>30C) 
A,(B— O,B 2 C) 
“343463 0) —BCz-A,(B-C) 
5 => AV(B > C) = A, (B = C) 
=> (AV (B > C)) = OA, (OB = 0C) 
> O(AV (B > C)) > 0A, UB—0C 
“Z (Av (B > C)) > 0OAVUB > 0C) 
"(AV (B = C)) (AV (OB > 0C)) 


i 


We have coloured red the ‘principal’ part of an inference step. Note at the top 
the necessity of applying the — rule before — -l, bottom-up, in order to prove 
> B —C©C => A, (B> C). 


The main result of this section is: 


Theorem 23 (Soundness and completeness). nJo g -— A if and only if 
CK - ka 4- k5 - A. 


To show the completeness (if) direction we will need to first give a simulation 
using a ‘cut’ rule, then prove cut-elimination. To avoid case explosion later in the 
presence of modal rules, it will facilitate our ultimate cut-elimination argument 
to consider a ‘context-joining’ cut, à la Tait. For this, we first need to generalise 
the usual notion of sequent union: 
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Definition 24 (Context joining). For contexts S|], S'[] define S|] - S'[] by 


- [- S0 = Sl; 
- (T > 3 Syst > X, S'I) := T, T" > X, X’, is") 


Note that, by a basic induction on the structure of contexts, we have that - 
is associative, commutative and idempotent. We shall sometimes write simply 
(S-S’){] for (S|]- S'[]), as abuse of notation. We shall also sometimes extend this 
notation to set-contexts, X[]- X'[], by adding the clause (X, Y) - (X, Y'[] := 
X, X, (Y [|] - Y']]. From here the cut rule is defined as: 


SIr > X,A] S'[r', A2 X! (1) 
cut 
(S-S), I" 2 X, X'] 


5.2 Metalogical Results 


By induction on the structure of nJo g + cut proofs it is routine to establish the 
‘only if’ direction of our main result Theorem 23: 


Proposition 25 (Soundness). IfnJo.3-- cut - S then CK +k3+ks F fm(S). 


The most interesting case is the > rule, which is justified by Remark 20. Among 
the non-modal rules the most interesting cases are the ‘switch’ rule > and the 
branching rules, which make use of the following lemma: 


Lemma 26. The following are intuitionistically valid: 


(A — B) v C) (A= (Bv O)) (A= (BAC)) = ((A— B) ^ (A = C) 
(AvB)—2O)((A—MC)^(B^SC) | (AV(BAO)) e ((AV B)A(AVC)) 


Let us write >” for >--- =. Note that, if S is a nested sequent, then so is 
=>" S, for all n > 0. We — a routine (cut- free) simulation of CK in nJo, 


Lemma 27 (Simulation of LCK). If LCKF I => A thennJgg -" rs A 
for all n > 0. 


Proof (sketch). The proof is by straightforward induction on the structure of a 
(cut-free) LCK proof of I" => A. Almost all rules of LCK are essentially special 
cases of their analogues in nJo g; the only exception is the right implication rule, 
which is simulated as follows:? 


=" IPTAsB 
v» >" r> A> B 
ASTU -B 


I,A-—B 
TASB 


4 Note here the necessity of proving the statement for all n > 0 as inductive invariant. 
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Proposition 28 (Cut-completeness with cut). If CK +k3+k5 + A then 
nJo.c + cut F> A. 


Proof (sketch). By induction on an axiomatic CK + ka + ks proof of A. In light 
of Lemma 27 above, and the presence of cut, it suffices to prove kg and ks: 


id id 
>A>A,B >B=>A,B L-1 
v-l —L— 
>AVB=>A,B ——— 
© >oOL=> 
> (AV B) > 0A,O0B w-r 
v-r > ĝL= 
> (AV B) = 9AV OB —-r 
> L — 


^2 O(AV B) 5 (OAV OB) 


6 Cut-Elimination Argument 


The goal of this section is to prove: 
Theorem 29 (Cut-elimination). IfnJọ o + cut - S then also nJgoot S. 


From here note that our main result follows immediately: 


Proof (of Theorem 23). Immediate from Theorem 29 above, Soundness (Propo- 
sition 25) and Completeness with cut (Proposition 28). 


'The size of a proof is its number of inference steps. The degree of a cut is the 
number of symbols in its cut-formula, i.e. the formula A distinguished in (1). Our 
ultimate argument for cut-elimination is based on a typical double induction: 


Proof (of Theorem 29, sketch). We proceed by induction on the multiset of cut- 
degrees in a proof. We start with a(ny) topmost cut, employing a subinduction 
on the size of the subproof rooting it, permuting the cut upwards in order to 
apply the subinductive hypothesis. At key cases the multiset of cut-degrees will 
decrease and we instead apply the main inductive hypothesis on the entire proof; 
sometimes we may need to first apply the subinductive hypothesis. In terms of 
the permutation strategy, we always permute cuts over non-modal rules (on 
either side) maximally, so that our modal cut-reductions only apply when the 
inference step immediately above each side of a cut is modal. 


The next subsection is devoted to describing some of the cut-reductions. 
Before that let us give the desired consequence of cut-elimination for nJo, 
namely the classification of the -free fragment of CK + ks + ks, cf. Fig. 2: 


, 


Corollary 30. CK + k3 + ks is conservative over iK, over Q-free formulas. 


Proof (sketch). If CK + ka + ks proves a O-free formula A, then there is a nJo, 
proof P of — A by Theorem 23. By the subformula property, P must be Q- 
free itself, so the only modal rule occurring in P is the L-rule, whose formula 
translation is derivable already in iK. (Note that the formula translation of Q- 


free nested sequents is always O-free). All other rules are derivable already in 
IPL. 
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6.1 Cut-Reduction Cases (Non-modal) 


To facilitate the description of the cut-reduction cases we will need to ‘bootstrap’ 
nJ g somewhat. We say a rule r is size-preserving admissible for a system L if, 
whenever there is a proof in L+ r of S, there is a proof in L of S of the same or 
smaller size. 


Proposition 31. The following rules are size-preserving admissible for nJọ, 
S[R[X], Y] S[X| 


S[R[X, Y (2) MIS 3) 


Thanks to the way we have presented our rules, almost all cut-reduction 
cases are ‘the same’ as those for usual sequent calculi for intuitionistic and/or 
modal logic, only under a sequent context. We highlight here some cases that 
need special attention. 

For key cases, when the cut-formula is principal for a logical rule on both 
sides of a cut, the corresponding reduction is almost always the same as that 
for the usual (multi-succedent) sequent calculus for IPL, only under a sequent 
context. The only exception is for —, since its right-introduction rule is different 
from that of the sequent calculus. The key case for — is: 


SII > X,(A > BJ] S'I", A —> B > X',A] S'I", B > X! 


"STS XA B] S'[I', AS B2 X! " 
cut 
(S-S), 29 X,X! 


S[l > X,(A => B)] Sir => X, (A => B)] 
H S[ > X,A =B] S'[I', Ao B 2 X',A] S[^, A => X, (> B)] 
NP (S-S’)[P, r' > X, X', A] gir, A => X,B] 
SR (S.S), r' > x, X', B] S'[r, B= X!] 


p (8- S), r' > x,x!] 

Referring to our cut-elimination argument, note we must apply the subinductive 
hypothesis to the topmost cut before calling the main inductive hypothesis. 

Any cut immediately preceded by an identity step (on either side) can be 
reduced to an identity step, eliminating the cut. Also all commutations of a cut 
above a logical rule are routine, as the —-depth of the cut-formula is not affected. 

Almost all permutations when a cut is preceded by a structural step are 
routine. The only exception is a permutation over a — step. Before we can 
present this we need to set up some notation. First, let us write —X*lU for >f 
where d is the —-depth of the hole [|] in X[]. I.e., 


= 8l 
zs PEST = sX 
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We shall sometimes write >* for +*1), as abuse of notation. By a straightfor- 
ward induction on the structure of set-contexts we have that —* []- X[] = X[]. 
Now we can give the critical 2-permutation by: 


S'[I" => X'[A, A, © 2 Y] 
Sprax,A Sr, AAs X (5S Y]] 
(S-S)P,P’,A=> X,X [D> Y]] 


cut 


ES ET EEE EE E 


SE > x,(* A] S'I > X'[A, A, E 2 Y] 
(S. S)HE, I' > X, X'lA, E => Y] 
(S-S), T’, As X,X'[x 2 Y]] 
Note the importance here of size-preserving admissibility of — -i, Proposi- 
tion 31, in order to appeal to the subinductive hypothesis. 


6.2 Cut-Reduction Cases (Modal) 


Defining the modal cut-reductions is facilitated by the observation that (3S5 - 
S1)[] = (So: 51)? |], proved again by a straightforward induction on the structure 
of sequent-contexts. The case analysis for modal cut-reductions is routine but 
lengthy; all reductions allow immediate appeal to the (sub)inductive hypothesis: 


— (0-0) If a cut is preceded on both sides by a © step, then the cut-formula 
on the right must be the distinguished -formula of the > rule in Fig. 4. We 
employ a case analysis on the relative location of the distinguished > formula 
and the cut formula on the left, but each situation is handled similarly. If, e.g., 
the distinguished Q formula and cut formula occur in parallel in the sequent 
context we have the following reduction: 


Soll, A — Xo][Ao > Yo, B] S1[X1] Ai,B > Yı] 

o o 

SOF, 0A > Xelo > Y$,0B]  SP[XT]DA, 0B > Yr] 
(So - ST)(DI OA = X6). X1][Ao, OA1 = Yo’, Yr] 


Soll, A => Xo][Ao = Yo, B] S1[LXi][Ai, B > Yi] 
v (So: $1)[U, A > Xo), X1][ Ao, A1 > Yo, Yi] 
(S6 - ST)(DI, OA > X6), X1][DAo, 04: > Yo, Yr] 


— (O-L1) It is not possible for a cut to be preceded by a ¢ step on the left and a 

step on the right, since the former has only > formulas in positive positions 
and the latter has only O formulas in negative positions. 

— (LI-O) If a cut is preceded by a O rule on the left and a ¢ rule on the right 
then the cut-formula must be a O formula, and so cannot be the distinguished 
© formula of the > step. We again employ a case analysis on the relative 
location of the distinguished © formula and cut formula on the right, but 
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each situation is handled similarly. If, e.g., the distinguished formula occurs 
(relatively) deeper than the cut formula, we have the following reduction: 


So[Io = A] S1[I, A > X[A.B > Y]| 

o 
So[DIo — HA] — S?[HI3,DA > X*[DA, 6B > Y°] 
(S8 - S?)[Io, UJ > X*[DA, 6B = Y°]] 


cut 


So|Io => A] S1[/3, A > X[A, B ^ Y]] 
cut 
v (So - $1)|Io, I3 > X[A, B => Y |] 
o 
(So - $1)?| Io, D X?| A,B >= Y?] 


— (O-O) If a cut is preceded on both sides by a O rule, then the only possible 
reduction, due to right-,-freeness in the right premiss, is: 


Sollo = A] Sı[A, T4 = R[A > B]] 
S(O 2 HA] SOA, On > ROA 5 BB] 
(S5 - ST)[DIIo, DI 1 > R?^[DA > OB]] 


cut 


So|Io => A] S\[A, T1 > R[A > B]] 

cut 
Sek (So - $1)|Io, I1 > R[A > B] 
(So -.51)? [Io, On > R [HA = OBI] 


7 Conclusions 


We showed that iK and CK are separated from IK by their O-free theorems, 
and have moreover initiated a comparison of intuitionistic modal logics by their 
O-free fragments. In particular, we have verified using proof theoretic techniques 
that the extension of iK by a normal Q is indeed conservative over iK, over 
O-free formulas. Again, our results are summarised in Fig. 2. 

Our nested sequent system nJ g is based on Fitting's for IPL in [16], but 
let us point out that he did not give a cut-elimination result. Naturally our cut- 
elimination result Theorem 29 also implies cut-elimination for the nested calculus 
nJ for IPL. Let us emphasise that, just as iK, CK,IK are proof-theoretically 
natural by the characterisations in Subsect. 2.1, so too is CK + ka + ks: it is just 
the extension of the calculus nJ for IPL by modal rules. 

From here it would be fruitful to understand how to adequately extend (bire- 
lational) semantics for CK to CK + k3 + ks. This could also yield an alternative 
(and perhaps simpler) proof of completeness of nJo g for CK + k3 + ks.” We 
have also not addressed the decidability of logics in this work, but let us point 
out that we believe that CK + k3 + ks might be proved decidable by eliminating 
=> -e in nJ g and employing a basic loop checking argument. 

There has been significant work on computational interpretations of CK 
e.g. [1-3,21,27]. However, one shortfall of CK here is that its interpretations 


5 We are aware of ongoing work by Nicola Olivetti and Han Gao investigating this. 
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do not lift to K along the Gódel-Gentzen translation; while alternative double- 
negation translations are available, cf. [22], these do not seem robust against 
modest extensions, e.g. when including a global modality LJ*. On the other hand 
the fact that IK validates Gódel-Gentzen, Theorem 12, suggests that it is better 
designed for computational interpretations, in particular for interpreting classical 
modal logic K. Under the standard translation, it would be interesting to classify 
the Curry-Howard interpretation of IK as a suitable fragment of dependent type 
theory. Let us point out that Simpson already gives a termination and confluence 
proof for a version of intuitionistic natural deduction specialised to IK in his 
thesis [33]. 


Acknowledgements. The authors would like to thank The Proof Theory Blog com- 
munity for all the feedback from their post [11]. In particular this work would not have 
been possible without several insightful interactions with Alex Simpson, Reuben Rowe, 
Nicola Olivetti, Tiziano Dalmonte, Dale Miller, Dominik Kirst, Iris van der Giessen, 
and Marianna Girlando. We thank Nicola Olivetti in particular for encouraging us to 
publish these results. 

This (alphabetically) first author was supported by a UKRI Future Leaders Fel- 
lowship, ‘Structure vs Invariants in Proofs’, project reference MR/S035540/1. 


References 


1. Acclavio, M., Catta, D., Straßburger, L.: Game semantics for constructive modal 
logic. In: Das, A., Negri, S. (eds.) TABLEAUX 2021. LNCS (LNAI), vol. 12842, pp. 
428-445. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-86059-2 25 

2. Arisaka, R., Das, A., Strafburger, L.: On nested sequents for constructive modal 
logic. Log. Methods Comput. Sci. (2015) 

3. Bellin, G., De Paiva, V., Ritter, E.: Extended curry-howard correspondence for a 
basic constructive modal logic. In: Proceedings of Methods for Modalities, vol. 2 
(2001) 

4. Blackburn, P., van Benthem, J.F., Wolter, F.: Handbook of Modal Logic. Elsevier, 
Amsterdam (2006) 

5. Blackburn, P., De Rijke, M., Venema, Y.: Modal Logic, vol. 53. Cambridge Uni- 
versity Press, Cambridge (2001) 

6. Božić, M., Dosen, K.: Models for normal intuitionistic modal logics. Stud. Logica 
43(3), 217-245 (1984) 

7. Bull, R.A.: A modal extension of intuitionist logic. Notre Dame J. Form. Log. 6(2), 
142-146 (1965). https://doi-org/10.1305 /ndjfl/1093958154 

8. Bull, R.A.: MIPC as the formalisation of an intuitionist concept of modality. J. 
Symb. Log. 31(4), 609-616 (1966) 

9. Curry, H.B.: The elimination theorem when modality is presentl. J. Symb. Log. 
17(4), 249-265 (1952) 

10. Dalmonte, T.: Wijesekera-style constructive modal logics. In: Fernández-Duque, 
D., Palmigiano, A., Pinchinat, S. (eds.) Advances in Modal Logic, AiML 2022, 
Rennes, France, 22-25 August 2022, pp. 281-304. College Publications (2022) 

11. Das, A., Marin, S.: Brouwer meets Kripke: constructivising modal logic (2022). 
Post on The Proof Theory Blog. https:/ /prooftheory.blog/2022/08/19 /brouwer- 
meets-kripke-constructivising-modal-logic/. Accessed 24 May 2023 


300 


12. 


13. 


14. 


15. 
16. 


17. 


18. 


19. 


20. 


21. 


22. 


23. 


24. 
25. 


26. 


2. 


28. 


29. 


30. 


31. 


32. 


A. Das and S. Marin 


Ewald, W.B.: Intuitionistic tense and modal logic. J. Symb. Log. 51(1), 166-179 
(1986) 

Fischer-Servi, G.: On modal logic with an intuitionistic base. Stud. Logica 36, 
141-149 (1977). https:/ /doi.org/10.1007/bf02121259 

Fitch, F.B.: Intuitionistic modal logic with quantifiers. Port. Math. 7(2), 113-118 
(1948) 

Fitting, M.: Modal proof theory. Handbook of Modal Logic, pp. 85-136 (2006) 
Fitting, M.: Nested sequents for intuitionistic logics. Notre Dame J. Form. Log. 
55(1) (2014) 

Font, J.M.: Modality and possibility in some intuitionistic modal logics. Notre 
Dame J. Form. Log. 27(4), 533-546 (1986) 

Gentzen, G.: Die Widerspruchsfreiheit der reinen Zahlentheorie. Math. Ann. 
112(1), 493-565 (1936) 

Gödel, K.: Zur intuitionistischen Arithmetik und Zahlentheorie. Ergebnisse eines 
mathematischen Kolloquiums 4, 34-38 (1933) 

Kavvos, G.A.: The many worlds of modal A-calculi: I. curry-howard for neces- 
sity, possibility and time. CoRR abs/1605.08106 (2016). http://arxiv.org/abs/ 
1605.08106 

Kavvos, G.A.: Dual-context calculi for modal logic. In: 32nd Annual ACM/IEEE 
Symposium on Logic in Computer Science, LICS 2017, Reykjavik, Iceland, 20- 
23 June 2017, pp. 1-12. IEEE Computer Society (2017). https:/ /doi.org/10.1109/ 
LICS.2017.8005089 

Litak, T., Polzer, M., Rabenstein, U.: Negative translations and normal modality. 
In: Miller, D. (ed.) 2nd International Conference on Formal Structures for Com- 
putation and Deduction (FSCD 2017). Leibniz International Proceedings in Infor- 
matics (LIPIcs), Dagstuhl, Germany, vol. 84, pp. 27:1-27:18. Schloss Dagstuhl- 
Leibniz-Zentrum fuer Informatik (2017). https://doi.org/10.4230/LIPIcs.FSCD. 
2017.27. http:/ /drops.dagstuhl.de/opus/volltexte/2017 /7741 

Mendler, M., de Paiva, V.: Constructive CK for contexts. In: Context Representa- 
tion and Reasoning (CRR-2005), vol. 13 (2005) 

Negri, S.: Proof analysis in modal logic. J. Philos. Log. 34, 507—544 (2005) 

Ono, H.: On some intuitionistic modal logics. Publ. Res. Inst. Math. Sci. 13(3), 
687—722 (1977) 

Ono, H., Suzuki, N.Y.: Relations between intuitionistic modal logics and interme- 
diate predicate logics. Rep. Math. Logic 22, 65-87 (1988) 

Pfenning, F., Davies, R.: A judgmental reconstruction of modal logic. Math. Struct. 
Comput. Sci. 11(4), 511—540 (2001). Notes to an invited talk at the Workshop on 
Intuitionistic Modal Logics and Applications (IMLA'99) 

Plotkin, G., Stirling, C.: A framework for intuitionistic modal logics. In: Proceed- 
ings of the 1st Conference on Theoretical Aspects of Reasoning about Knowledge 
(TARK), pp. 399—406 (1986) 

Satre, T.W.: Natural deduction rules for modal logics. Notre Dame J. Form. Log. 
13(4), 461-475 (1972) 

Servi, G.F.: Semantics for a class of intuitionistic modal calculi. In: Dalla Chiara, 
M.L. (ed.) Italian Studies in the Philosophy of Science. Boston Studies in the 
Philosophy of Science, vol. 47, pp. 59-72. Springer, Dordrecht (1980). https://doi. 
org/10.1007/978-94-009-8937-5 5 

Servi, G.F.: Axiomatizations for some intuitionistic modal logics. Rendiconti del 
Seminario Matematico dell’ Università Politecnica di Torino 42(3), 179-194 (1984) 
Siemens, D.F.: Fitch-style rules for many modal logics. Notre Dame J. Form. Log. 
18(4), 631—636 (1977). https:/ /doi.org/10.1305/n4djf1/1093888133 


On Intuitionistic Diamonds (and Lack Thereof) 301 


33. Simpson, A.: The proof theory and semantics of intuitionistic modal logic. Ph.D. 
thesis, University of Edinburgh (1994) 

34. Suzuki, N.Y.: An algebraic approach to intuitionistic modal logics in connection 
with intermediate predicate logics. Stud. Logica 48(2), 141-155 (1989) 

35. Wijesekera, D.: Constructive modal logics I. Ann. Pure Appl. Logic 50(3), 271-301 
(1990) 

36. Wolter, F., Zakharyaschev, M.: On the relation between intuitionistic and clas- 
sical modal logics. Algebra Logic 36, 73-92 (1997). https://doi.org/10.1007/ 
BF02672476 


Open Access This chapter is licensed under the terms of the Creative Commons 
Attribution 4.0 International License (http:/ /creativecommons.org/licenses/by /4.0/), 
which permits use, sharing, adaptation, distribution and reproduction in any medium 
or format, as long as you give appropriate credit to the original author(s) and the 
source, provide a link to the Creative Commons license and indicate if changes were 
made. 

The images or other third party material in this chapter are included in the 
chapter's Creative Commons license, unless indicated otherwise in a credit line to the 
material. If material is not included in the chapter's Creative Commons license and 
your intended use is not permitted by statutory regulation or exceeds the permitted 
use, you will need to obtain permission directly from the copyright holder. 


(R) 


Check for 
updates 


CoNP Complexity for Combinations 
of Non-normal Modal Logics 


Tiziano Dalmonte!()®@ and Andrea Mazzullo?($ 


! Free University of Bozen-Bolzano, Bolzano, Italy 
tiziano.dalmonte@unibz.it 
? University of Trento, Trento, Italy 
andrea.mazzullo@unitn.it 


Abstract. We study the complexity of the validity /derivability problem 
for combinations of non-normal modal logics in the form of logic fusions, 
possibly extended with simple interaction axioms. We first present cut- 
free sequent calculi for these logic combinations. Then, we introduce 
hypersequent calculi with invertible rules, and show that they allow for 
a coNP proof search procedure. In the last part of the paper, we consider 
the case of combinations of logics sharing a universal modality. Using the 
hypersequent calculi, we show that these logics remain coNP-complete, 
and also provide an equivalent axiomatisation for them. 


Keywords: Non-normal modal logics + Combination of logics + 
Fusion * Universal modality - Complexity - Hypersequent calculus 


1 Introduction 


Modal logics that combine different modalities have widespread diffusion. On the 
one hand, modal logics designed for applications usually contain multiple oper- 
ators, possibly with interactions among them. On the other hand, non-standard 
modal logics, such as intuitionistic or description modal logics, have been con- 
nected with classical logics with combined modalities [18,19, 46,47], an observa- 
tion that allowed for a fruitful transfer of results among the different formalisms. 

Concerning logics designed for applications, several systems contain modal- 
ities that display a non-normal behaviour, as they do not satisfy some princi- 
ples that are validated by any normal operator. Significant examples are epis- 
temic logics without omniscience [4], deontic logics [1], agency and ability logics 
[6, 14, 26], coalition logics [37,43]. At the same time, the recent introduction of 
non-normal systems based on intuitionistic or description logic [9,10,12,40, 41] 
naturally raises the question of their connections with classical systems with 
combined non-normal modalities. 

Multimodal logics obtained as combinations of normal systems have been 
extensively studied, with a specific focus on fusions and products [19,20,45], 
and the transfer of properties from the single systems to their combinations. 


© The Author(s) 2023 
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Concerning fusions of normal logics, it is known for instance that decidabil- 
ity, interpolation [45] and semantic completeness [17,30] are always preserved, 
whereas the complexity of the satisfiability /validity problem is not: while fusions 
of PSPACE logics generally remain PSPACE, the same does not hold for fusions 
of systems with CONP validity (respectively, NP satisfiability) problem, as wit- 
nessed by the PSPACE bimodal logics $52, KD452, K4.32 and $4.3. [25,42], in 
contrast with their CONP monomodal counterparts! (see [19] for an overview 
on transfer results). 

Although most studies focus on combinations of normal modal logics, similar 
questions have been also addressed for fusions of non-normal systems. In partic- 
ular, decidability [3,23] and superamalgamation [21,22] (an algebraic property 
corresponding to a form of interpolation) are known to be preserved, while com- 
pleteness is not [15,16]. By contrast, less is understood about the transfer of 
complexity results, which is the topic of the present work. 

Non-normal modal logics (NNMLs in the following) are good examples of 
CONP modal logics. These logics are defined by extending classical propositional 
logic with the congruence rule A > B/OA — OB and combinations of standard 
modal axioms (cf. Sec. 2). As shown by Vardi [44], in this family of logics, 
the complexity of the validity problem strictly depends on the presence of the 
agglomeration axiom OA A OB — O(A ^ B): the logics with this axiom are in 
PSPACE, whereas the logics without it are CONP-complete.? Differently from 
the CONP normal systems mentioned above, the same complexity bounds hold 
for the multi-modal formulations of these logics where all modalities are of the 
same kind [44]. For this reason, combinations of NNMLs are promising in terms 
of preservation of CONP complexity. 

In this paper, we investigate the complexity of the validity problem for some 
kinds of combinations of CONP NNMLs. In particular, we consider all CONP 
NNMLs of the classical cube [7,34] as well as their CONP extensions with non- 
iterative modal axioms. We first consider the fusions of NNMLs, roughly corre- 
sponding to the disjoint union of the modal axiomatisations of the combined sys- 
tems, as well as their extensions with interaction axioms of the form L1; A — L1;.A 
(that correspond, for instance, to the well-known principles of ‘ought implies can’ 
and ‘does implies can’ of deontic and agency logics (see e.g. [1,6,14])). In the 
last part of the paper we also consider the case of combinations of NNMLs shar- 
ing a universal modality. While most studies on property transfers are based 
on algebraic or model-theoretical techniques, we adopt here a proof-theoretical 
approach. We first present cut-free sequent calculi for these logic combinations. 
'Then we present a reformulation of the calculi in terms of hypersequents where 


1 In the following, when mentioning the complexity of a logic, we always refer to the 
complexity of its validity problem. Dual results immediately follow for the corre- 
sponding satisfiability problem: in particular, CONP-complete logics have an NP- 
complete satisfiability problem. If not differently specified, the complexity bounds 
are tight: by CONP logic, respectively PSPACE logic, we mean that the logic is 
CONP-complete, respectively PSPACE-complete. 

? More precisely, Vardi [44] shows that the satisfiability problems for these logics are 
NP-complete. 
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Fig. 1. Diagram of non-normal monomodal logics. 


all the rules are invertible, and show that they provide a CONP decision proce- 
dure for validity in the logics. In the last part of the paper, we consider the case 
of combinations of logics sharing a universal modality. Using the hypersequent 
calculi, we show that these logics remain coNP-complete. 


2 Non-normal Modal Logics and Their Combinations 


Given a set of unary modalities (L3, ..., On }, we denote £[L1,, ..., On] the propo- 
sitional modal language based on a set Atm = {p1, pa, pa, ...) of countably many 
propositional variables, containing the Boolean operators L, —, and the modal- 
ities Lh, ...,L]4. We consider T,—, ^, V, Q; to be defined as usual. 

Non-normal monomodal logics are defined in a language £[LI;], for some i € 
N, by extending any axiomatisation of classical propositional logic (containing 
modus ponens), formulated in £[O;], with the rule RE; below, and a combination 
of the following axioms: 


Bim. Ae dese. dudes ud 
iA e LIB Ni LT P. , 


The minimal non-normal monomodal logic defined in £[LJ;], denoted by E;, only 
contains RE; (that is, it does not contain any additional modal axiom). Given 
a list of modal axioms X; in £[D;] (without repetitions), the other non-normal 
monomodal systems are denoted by EX;. We call monotonic any system EY; 
such that M; € X;. Moreover, we use L; to denote any logic defined in £[O;]. 

We consider the standard notion of derivability in axiomatic modal systems: 
a rule Bj,...,B,/A is derivable in a logic L; if there is a finite sequence of 
formulas ending with A in which every formula is an (instance of an) axiom 
of L;, or it belongs to (B4, ..., Bn}, or it is obtained from previous formulas by 
the application of a rule of L;. A formula A is derivable in L;, written F4, A, if 
the rule 0/A is derivable in L;. Finally, a formula A is (locally) derivable from a 
set of formulas 9 in L;, written +, A, if there is a finite set {B1, ..., Bn} C B 
such that FL, Bi ^... ^ Bn — A. We recall that the axioms M; and N; are 
respectively equivalent to the monotonicity rule A > B/O;A — DJ; B and to the 
necessitation rule A/L1; A. Note also that the axioms P; and D; are equivalent in 
normal modal logics (i.e., modal logics extending K;), but are not equivalent in 
non-normal ones. In particular, the following derivability relations hold: Fer, P, 
Fer, Di, Femp, Pi, Fenn; Pi. By virtue of these relations, the considered family 
contains 17 distinct monomodal logics, displayed in Fig. 1. 
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In this paper, we study multimodal logics obtained by combining non-normal 
monomodal logics in the following way. First, let Li,...,L, be n non-normal 
monomodal logics respectively formulated in the Lunar. LO], ..., LEO] 
sharing the same propositional variables and Boolean operators, but with dis- 
tinct modalities O1, ..., On. Moreover, let Z be an acyclic set of pairs (i, j) with 
1< i,j <n (that is, nee is no chain (i, j1), (j1, j2); - (Jk, 2))- 


Definition 1. The combination (L1...LnZ) is the smallest multimodal logic in 
the language L|O: n] that contains L4 U ... U Ln as well as the interaction 
arioms L1; A > ee for all (i,j) € T, and is dlae under the rules of Li, .. 
Ln (that is, modd ponens and RE, ..., RE). 


Note that (L;...L,,0) corresponds to the fusion of L1, ..., Ln [45]. The reason for 
restricting to acyclic sets Z is that in presence of cycles (i, 71), (j1, J2); .- (Jk, 1), 
the modalities LJ;, O;,, ..., Oj, become all indistinguishable. In the following, 
for every logic (Li...L,Z), we denote Z* the transitive closure of 7. 

The standard semantics of non-normal monomodal logics is given in terms 
of so-called neighbourhood models. Dealing with multimodal logics, we consider 
here models endowed with n neighbourhood functions, one for each modality. 


Definition 2. A n-neighbourhood model is a tuple M = (W, M,- Nn, V), 
where W is a non-empty set of worlds, V: Atm —9 P(W) is a valuation func- 
tion, and each N; is a neighbourhood function W — P(P(W)) possibly satis- 
fying the following conditions for all w € W, where a, 8 C W: 


(M;-c) if a € N;(w) anda C B, then B € N;(w); (Ni-c) W € Mw); 
(T;-c) ifa € N;(w), then w € a; (Pi-c) 04€. N;(w) 
(Di-c) ifa € Ni;(w), then W \ a € N;(w); (Intij-c) Ni(w) € Nj(w). 


Given a monomodal logic EX; and a neighbourhood function N;, we say that N; 
is a EX;-function if it satisfies Condition (c;-c), for every c; € Xi. Moreover, 
we say that a model M = (W, M, ..., Nn, V) is a model for a multimodal logic 
(Li...L5Z), or it is a (Li...L,Z)-model, if N; is a L;-function for all 1 € i € n, 
and M satisfies (Int;;-c) for all (i,j) € T. 

The relation M,w l- A is defined as usual for propositional variables and 
Boolean connectives, while for O; it is as follows, where JA] m = (v | Mt, v IF A}: 


M,wiltO;A iff [Alae M(w). 


+? 


We consider the usual notions of validity in a model M and validity in a class 
of models C: M = A iff M,w IF A, for all w of M; and C = A iff M E A, 
for all M € C, respectively. In the following, we omit to specify M, and simply 
write w lk A or [A], when it is clear from the context. 

In this paper, we study the complexity of the validity problem for the logics 
(Li...L4,Z), that is, the problem of deciding, given a formula A of £[D, ..., On], 
whether A is valid in the class of all (L;...L,,7)-models. Due to the following com- 
pleteness result, the validity problem for (L)...L,Z) is equivalent to the derivabil- 
ity problem for (Ly...L,Z), that is, the problem of deciding whether A is derivable 
in the axiomatic system (Ly...L,Z) (Definition 1). 
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(init) p p, ^ (sd D-—A,A DB-2A NE DA2B,A 

(li) 512A - T,A> B>A TSA SBA 
œ ASB B>A . AB ; >A 

ei) I,U;A— DB, A (mi) I;Q;A > OB, A (ni) D-—U&A,A 
pi) — 4> _ (di) A, B= = A,B (di) A> >A 
" TOA>A “TOA, QO;B >A WC Bde 

md;) A,B = (ti) I, i4, A> A (eiz) A> B B>A 
U TOA, OBA ©  DnUAA "S/ FOA>O0;B,A 

mig) AB (dis) A,B > > A,B imag) ABA 

95^ T,0:A>0;B,A V^ PoOAOBS A WF OA, OBS A 


Fig. 2. Sequent rules. 


Theorem 1. A formula A of C[D, ..., On] is derivable in (L1...L,Z) if and only 
if it is valid in the class of all (L1...L,, 2) -models. 


Proof. Soundness is routine by showing that all axioms and rules are, respec- 
tively, valid and validity preserving in the corresponding models. For complete- 
ness, we adapt the standard proof for non-normal monomodal logics (cf. [7]). As 
usual, we call (Ly...L,Z)-maximal consistent (or maxcons) any set ® of formulas 
of £[L5, ..., On] such that  /1,..1,7) L, and for all A € £[D,..., D]; A E 9 
implies 6 U {A} 4,4, 7) L- Moreover, we denote [A] the class of (L1...L,Z)- 
maxcons sets s.t. A € P. The usual properties of maxcons sets hold, in particular: 
if V4, z) L, then there is V (L;...L,Z)-maxcons s.t. P C W. We define the 
canonical model for (Li...L,Z) as M = (W, M, ...,.N4, V), where W is the class 
of all (L;...L,Z)-maxcons sets, and for all p € Atm, V(p) = [p]. Moreover, for all 
1l € i € n and all  € W, we define a € N;(9) iff a = [A] for some LJ;A € & 
s.t. j = ior (j,i) € Z*, or a D [B] for some D&B € 9 s.t. k = i or (ki) € Z*, 
and M; € L;, or My € Lz, or M, € Lu for some u s.t. (k,u), (u, i) € Z*. We can 
show that M is a (L1...L,Z)-model, and that for all A € £[01, ..., On], [A] = [A]. 
Then the completeness of (L;...L,Z) follows in the usual way. 


3  Sequent Calculi 


In this section, we present sequent calculi for all the considered combinations of 
NNMLs. We show that the calculi are sound and cut-free complete with respect 
to the corresponding axiomatic systems. 

In the following, we use capital Greek letters T, A, I7, O to denote possibly 
empty multisets of formulas. As usual, we call sequent any pair l = A of finite 
multisets of formulas. Sequents are interpreted in the language of the logic by the 
formula interpretation (T => A) = AT > V 4, if r £ l, and (IF > 4) = V 4, 
if I — 0, where V0 = 1. 
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S.E;: lei) S.ENP;: (ei ni, pi) S.EMN; {mini} 

S.EP;: (ei pi} S.END;: (ei ni, pi, dil S.EMT;: {mi, ti} 

S.ED;: (ei, di, di) S.ENT;: (ei, ni, ti} S.EMNP;: {mi, ni, pi} 
S.EDP;: {e:,di,pi}  S.EMi: {mi} S.EMND;: {m;, ni, pi, mdi] 
SET: {e;, ti} S.EMP;: {m;, pi} S.EMNT;: (mi,ni,t;) 


S.EN;: lei, ni) S.EMD;: (mi, pi, mdi) 


Fig. 3. Modal rules of sequent calculi for non-normal monomodal logics. 


Sequent calculi for non-normal monomodal logics are studied in [27,28,31, 
34,36].? For each logic L;, the corresponding sequent calculus S.L; contains the 
propositional rules init, LL, >L, —g and suitable modal rules from Fig. 2, as 
summarised in Fig. 3. 

Concerning the other rules in Fig. 2, note that the order of the indexes i, j is 
relevant for e;; and mj; (L1;A is in P while L1; B is in A), while it is not relevant 
for d;; and md;; (both L1; A and OB are in I’). Accordingly, we assume d;; = dj; 
and md;; = mdj;, whereas ei; Z ej; and mj; Z mji. The sequent calculi for the 
combinations of NNMLs are defined as follows. 


Definition 3. The sequent calculus S(Ly...L,Z) for (Li...LnZ) contains, for all 
1<i<n, all the rules of S.L; different from d;, as well as the following rules: 


eij, if (i,j) € Z*, and m; ¢ S.Li, and m; € S.L;, and there is no k such that 
(i, k), (k, jer and my € S.Ly; 
mij, if (i, Der, and m; € S.L; or m; € S.L; or there is k s.t. my € S.Ly and 
(1,5), (kd) € T"; 
ni, if there is j such that (j,i) € Z* and n; € S.L}; 
di, if there is j such that (i, j) € Z*, and eij € S(Li...L,Z), and d; € S.L; 
mdi, if there is j such that (i, j) € Z*, and mi; € S(Li...L,Z), and d; € S.L; or 
md; € S.L; 
dij, if there is k such that (1) (i,k) € Z*, and (2) (j,k) € Z* ork = j, and 
(3) dk € S.L, and (4) ejk, jk € S(Li...L52), 
md;;j, if there is k s.t. (1) (i,k) € T*, (2) (j,k) € T* or k = j, (2) dy € Sly, or 
md, € S.L, and (4) mix € S(L1...LnZ) or Mik € S(Li...L,2); 
pi, if there is j such that j = i or (i,j) € Z*, and pj € S.L; or there is k such 
that ny € S(Li...L4Z), and djk € S(Li...LnZ) or mdjs € S(Li...L42); 
dj, if pi € S(Li...LnZ), and there is j s.t. j =i or (i,j) € Z*, and d € S.L;. 
ti, if there is j such that (i,j) € Z* and t; € S.L}. 


The rules listed in Definition 3 are necessary in order to ensure cut-free 
completeness of the sequent calculi in presence of interactions. Two examples of 
calculi resulting from the definition are as follows: 


3 Here we only consider pure Gentzen-style sequent calculi for NNMLs. Other sequent 
calculi for NNMLs have been defined in the literature in terms of labelled sequent 
calculi [13,24,35], nested or hypersequent calculi [11,33,34], and display calculi [8]. 
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S(ENj, ET», EMs{(1, 2), (2,3)}) = [ei n1, €2, te, ms, m;., m;,3, m» 3,t1, 
n2, na; 

S(EN;, EMs, ED3{(1, 3), (2,3)}) = [ei, n1, M2, €3, d3, €1,3, mo,3, n3, d1,3, 
di, md2,3, P3, P1, P2}- 


As usual, initial sequents are formulated only for propositional variables but 
can be extended to arbitrary formulas. We say that a rule is admissible in 
S(L1...LnZ) if whenever the premisses are derivable in S(L1...LnZ}, the conclusion 
is also derivable, and that a single-premiss rule is height-preserving admissible 
in S(Ly...L,Z) (hp-admissible for short) if whenever the premiss is derivable, 
the conclusion is derivable with a derivation of at most the same height. More- 
over, we say that a rule Sj, ...,S,/S’ is height-preserving invertible in S(L1...Ln 7) 
(hp-invertible) if the rule S’/S; is hp-admissible for all premisses S;. One can 
show that the propositional rules of S(L1...L,Z) are hp-invertible, by contrast the 
modal rules are not (with the exception of t;). As an easy example, consider the 
sequents p => q and O;p > Uig,Ui(p V r), respectively premiss and conclusion 
of an instance of m;, where the conclusion is derivable and the premiss is not. 


Proposition 1. In every calculus S(Li...L,Z), the following structural rules 
Lwk, Rwk, Lctr and Rctr are hp-admissible, and the following rule cut is admis- 
sible: 


Lwk DA Rwk DA I,AA-—A I-—A,AA 
NE A "Ead — VERA Bere qa 
rsAA  IHA-O0 
cur TI >09 


Proof. Hp-admissibility of Lwk, Rwk, Lctr and Rctr is proved as usual by mutual 
induction on the height of the derivation of their premisses (with d; ensuring 
that contraction is admissible also in the calculi with d;). Admissibility of cut is 
proved by induction on the lexicographically ordered pairs (c, h), where c is the 
weight of the cut formula, and h = hy 4- ha is the cut height, where hı and hg are 
the heights of the derivations of the premisses of cut. The proof is standard and 
distinguishes some cases according to whether the cut formula is or not principal 
in the last rules applied in the derivation of the premisses of cut. Here we only 
show two representative cases, where the cut formula is principal in the last rule 
applied in the derivation of both premisses of cut. 


(ei, — md,;) The derivation on the left is converted into the one on the right: 


AB BoA B,C => AB B,C > 
Siu md,; cut 
T, OA aB, A mB OC>0 yo 5 A,C=> HEN 
T, 0,0,4, 0;C > 4,0 E DILUSASGCAAO0 ^? 


where the application of cut has a lower height, and mdi; € S(Li...L,Z) by 
Definition 3. Indeed, ei; € S(Li..L,Z) implies (i,u) € Z*. Moreover, since 
md,; € S(Li..L,Z), following Definition 3 there are three possibilities: (1) 
(u, J) € T*, and Muj € S(Li...L,2Z), and d; € S(Li...L527) Or md; € S(Li...L,2); 
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or (2) (j,u) € Z*, and mj, € S(Li..L,Z), and d, € S(Li..L,Z) or md, € 
S(Ly...LnZ); or (3) there is k such that (u, k), (j, k) € Z*, and my; € S(Li...L,Z) 
or mj; € S(Li...L,Z), and d; € S(Ly...L,Z) or md; € S(Li...L,7Z). If (1), then 
(i,j) € Z* and mi; € S(Li...L,Z). If (2), then (i,u),(j,u) € Z*. If (3), then 
(i,k), (j, k) € Z*. In all these cases, by Definition 3, mdi; € S(Li...L,Z). 

(mi; — pj) The derivation on the left is converted into the one on the right: 

mi A-—B B > pj A=>B BS odi 
I,D;A- DjB,A IL, D;B > 0O v A=> : 
TIU A- A6 p rioAsae 
where the application of cut has a lower height, and p; € S(Li..L,7) by 
Definition 3. Indeed, mi; € S(Li..L,Z) implies (i,j) € Z*. Moreover, since 
pj € S(Li...LnZ) we have three possibilities: (1) p; € S.L;; or (2) there is k such 
that (j, k) € Z* and py € S.L; or (3) there are k, u such that (j,k), (k.u) € Z*, 
n, € S(Li...L4Z), and dku € S(Li..-LnZ) or mdi, € S(Li...L, 27). If (1), then by 
Definition 3, p; € S(Li...L,Z). If (2) or (3), then (i,k) € Z*, and in both cases 
by Definition 3, p; € S(Li...L,Z). 


Theorem 2. I => A is derivable in S(Li...L4 7) if and only if AD 3 VA is 
derivable in (Ly...L,Z) 


Proof. (=) For each rule S/S’ or S1, S2/S' of S(Ly...LnZ), we need to show that 
the corresponding rule 1(S)/v(S’) or (5S1), (S2) /((") is derivable in (Ly...L,Z). 
We consider as an example the rule md;;, and write F for 7 (,. 4, 7j. First, it is 
easy to see that - L1; A — OA for all (i, j) € Z*. Now suppose that - AAB > L, 
hence | A — 7B. By Definition 3, there is k such that (i,k) € Z* or k = i, 
(j,k) € Z* or k = j, dy € S.L; or md, € S.L;, and mi; € S(Li...L4Z) or 
myx € S(Li...L,Z). Then, by def. of monomodal calculi, Dy € Ly. Suppose that 
Mik € S(Li...L,Z). One can show that the rule C > D/O,C — Ul; D is derivable 
in (Li...L,Z) for any C, D. Then since - A — =B, we have + Lj A > O,-7B. 
Moreover, we have F [Lj B. — LIB. Then by Dy, F OA ALI;B — L, thus 
- AI ^D;AADSB —^ VA for all DP, A. If mj, € S(Ly...L,Z) the proof is 
analogous. (<=) By showing that all axioms and rules of (L1...LnZ}) are derivable, 
respectively admissible, in S(L1...L,Z), with modus ponens simulated by cut in 
the usual way. 


In this paper, we provide a proof of CONP-complexity for the validity prob- 
lem for the logics (L;...L,Z) following a strategy based on a reformulation of the 
calculi S(Li...L,Z) in terms of hypersequents, as explained in the next section. 
Alternatively, it could be possible to devise a strategy directly based on the cal- 
culi S(Li...L, Z) only.* To this goal, two key observations are in order. First, it 
is easy to see that in any proof tree 7 for D => A in S(Li...L,Z), every branch 
of 7 has polynomial length with respect to the length n of IT = A. Second, for 
every non-invertible modal rule, at most quadratically many premisses (w.r.t. n) 
are possible. T'his would allow one to obtain certificates for non-derivability in 
S(Li...L,Z) verifiable in polynomial time by a deterministic Turing machine. We 
leave as future work further investigation in this direction. 


^ We thank one reviewer for suggesting us this possibility. 
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4 Invertible Calculi and CoNP Complexity 


In this section, we present a proof of CONP complexity for the logics (L1...L,Z) 
based on a reformulation of the sequent calculi S(Ly...L,Z) where all the rules are 
invertible. In particular, in order to make the modal rules invertible, we rewrite 
all the rules using hypersequents, following the strategy of [11]. We show that 
the hypersequent calculi H(L,...L,Z) provide a CONP decision procedure for 
the validity problem in (Lj...L,Z). Specifically, we present a CONP proof search 
algorithm in H(L1...LnZ}) that explicitly constructs a derivation for every valid 
hypersequent /formula. Moreover, we show that from every failed derivation one 
can extract a countermodel of the input hypersequent: this means that we can 
construct a countermodel of every non-valid formula. 

A hypersequent H [2] is a finite multiset of sequents, and is written I3 > A, | 
.. | Tk = Ap, where I; > Aj, ..., Dy — A are called the components of H. The 
hypersequent rules for (Ly...L,Z) are direct reformulation of the sequent rules, 
and are displayed in Fig. 4. Essentially, backward applications of the hyperse- 
quent modal rules introduce a new component which coincides with the premiss 
of the corresponding sequent rule. In this way, all information contained in the 
conclusion is preserved into the premisses, thus making alternative rule appli- 
cations still possible in bottom-up proof search. Concerning the propositional 
rules, we consider a cumulative formulation of them where the principal formu- 
las are kept into the premisses. As we will see, this allows us to easily extract 
countermodels from failed proofs. 

Differently from sequents, hypersequents cannot be interpreted as formulas 
of £[O1,...,On] (we will come back to this problem in the next section). Hyper- 
sequents are evaluated on n-neighbourhood models as: M,w I- F => A if and 
only if M,w lk (DP => A); M E T => A if and only if Mw I- P => A, for all 
w of M; and M E D > A, |... | Tx = Ay if and only if M E T? => Ag, for 
some 1 < £ < k. 


Definition 4. The hypersequent calculus H(Li...L,Z) for (Ly...L,Z) is defined 
as S(Ly...L,Z) (Definition 3), with the difference that the rules are formulated in 
their hypersequent version (Fig. 4). 


We first show that the calculi are sound and complete with respect to the 
corresponding logics. Since hypersequents do not have a formula interpretation, 
we consider a semantic proof of soundness. 


Proposition 2. If H is derivable in H(Li...L, 7), then H is valid in every n- 
neighbourhood model for (Li...Ln T). 


Proof. It is immediate to see that the initial hypersequents init and l, are 
valid in every model. We need to show that all rules of H(L,...L, 7) are validity 
preserving in every model for (L;...L,Z). We consider as an example the rule 
mdi;: Suppose that M = H | T, iA, ;B >A | A,B > IfMEH | 
r,0,A,0O;B = A we are done. Otherwise M | A, B =, that is, [A] € [^5]. 
As a consequence of Definition 3, md;; belongs to H(L,...L,,Z) in two cases: (1) 
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init) H | T, p => p, A (lL) H|T, 124A 
H|T,A>B=AA H|T,A>B,B> 4 H|T,A>B,A>B,A 
" H|PASBoOA ®) PS AS BA 
i H|, DAs 0OB,A|A>B H|T,O:A>0OB,A|B>A 
' H |T, O;:A > U;B, A 
mi H|T,O:A > 0B, A| A> B = H|C=>O0,A,A|>A 
‘ ^| 0;,A-U0;B,A ' H|C>OA,A 
H|T.OASA|AS> ,, H|IPOASA|AS H|TOASA|SA 
Pi) “FT PoAS A (di) H|T,OASA 
d ^| DLUOiAUD;BAA|AB- H|T,O,A,0:B > A|> A,B 
H|T,0:A,O:B > A 
rd H|T,0:4,0:B > 4| A,B > (t;) H|T,ODOA, A> A 
H|T,O:A,O:B > A H|T,DO:A > A 
4| DA 0;B,A|A>B A4|D,0;A-D;B,A|B— A 
ej) H|TO;A>O;B,A 
^4|DU;A-—U;B,A|AoB 4|DO;AUd;j—A|AB- 
mj) H |T, UO;A > GB, A (mdi) H| LOA GB A 
dij) ^|DU;AUD;jB—A|AB-— ^4|Dh0D;AU0jB-—A|-—A,B 


4|nü;AO0;B-A 


Fig. 4. Hypersequent rules. 


(i,j) € Z* and M satisfies (Dj-c) and (M;-c) or (Mj-c), or (2) there is k such 
that (4, k), (j, k) € Z* and M satisfies (Dz-c) and (Mj-c) or (Mj-c) or (My-c). If 
(1), then suppose w It OA, that is [A] € A/;(w). If (M;j-c), then [2B] € N;(w), 
and by (Int;;-c), [2B] € Nj(w). Otherwise by (Int;;-c), [A] € N;(w), and by 
(Mj-c), [2B] € Nj(w). Thus by (Dj-c), [B] ¢ N;(w). If (2), let us assume ( Mg- 
c), the other cases being similar. Suppose w l- L1; AAU, B. Then [A] € N;(w) and 
[B] € N;(w). By (Inti;-c) and (Intjx-c), [A], [8] € M(w), thus [B], [B] € 
Af (w), against (D,-c). Thus in both cases w lf L1; A ^ LJ; B. Since this holds for 
every w, we have M H D; A4, D; B >, hence M E | D,D;A,05B => A. 


'To prove completeness, we consider here a simple proof that relies on the cut- 
free completeness of the sequent calculi, although a direct proof of cut elimination 
analogous to the one in the previous section could be given. The proof is based 
on the following observation, which can be easily proved by induction on the 
height of the derivation of the premiss of the rules. 


Lemma 1. The rules of external weakening and external contraction are height- 
preserving admissible in HL;...L,, 7): 
H H|D—A|D—A 


Aiea 
H| DA BRE ae er 
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Proposition 3. IfI => A is derivable in S(L1...L,, 7), then I' => A is derivable 
in H(Ly...L,Z). 


Proof. By induction on the height of the derivation of P => A in S(Ly...L,T), 
considering the last rule applied in the derivation. For initial sequents and propo- 
sitional rules the proof is immediate. For modal rules, suppose that /' = A is 
obtained from Sı and (possibly) S2 by the application of the sequent rule R. 
Then by i.h., Sı and S2 are derivable in H(Ly...L,Z), and by Ewk, r > A| Sı 
and I’ — A | S2 are derivable in H(L,...L,Z). Then by the hypersequent version 
of the rule R, I 2 A is derivable in H(L,...L,7). 


Another immediate consequence of the height-preserving admissibility of 
external weakening is that all the rules of H(L;...L,Z) are height-preserving 
invertible in the calculi. It follows that one single proof search is sufficient to 
establish whether a hypersequent is derivable or not. However, as a difference 
with sequent rules, backward applications of the hypersequent rules increase the 
complexity of the hypersequents, thus proof search in H(Ly...L,Z) does not ter- 
minate per se. In order to retrieve termination but also obtain an optimal proof 
search, following [11] (cf. also [32]), we consider a proof search strategy based on 
the following loop checking condition and on a fixed order of rule applications. 


Definition 5. An application of a hypersequent rule with premisses G1, ..., Gn 
and conclusion H satisfies the local loop checking condition (LLCC) if for each 
premiss Gi, there exists a component I' = A in Gi such that for no component 
II => O of the conclusion H we have set(I') C set(IT) and set(A) C set(O). 
Moreover, having fired an enumeration R,..., Rm of the rules of H(Li...L, 2), 
we say that the backward application of a rule R; with conclusion H satisfies the 
priority order (PO) if there is no R; backward applicable to H with j < i. 


Bottom-up proof search with LLCC and PO is described by Algorithm 1. 
We now show that bottom-up proof search with LLCC and PO is complete, and 
that it provides a CONP procedure for deciding derivability in (L1...L,,Z). 


Proposition 4. If H is derivable in H(Li...L,Z), then it is derivable with a 
derivation in which all rule applications satisfy the LLCC and the PO. 


Proof. First, we show by induction on the height n of the derivation D of H in 
H(Ly...L,Z) that if H is derivable in H(L;...L,Z), then it is derivable respecting 
the LLCC: If n = 0, then # is an initial hypersequent and D trivially satisfies 
LLCC. For n+1, let R be the last rule applied in D. If R satisfies the LLCC, then 
we apply the i.h. to its premisses and are done. Otherwise, there is a premiss G; of 
R such that for all components I => A in G;, there is H > O in H s.t. set(I) C 
set(/T) and set(A) C set(O). Then H can be obtained from G; by means of 
height-preserving applications of the structural rules. Again, by applying the 
i.h. we obtain a derivation of H where every rule application satisfies the LLCC. 
Moreover, given the invertibility of the rules, any derivation can be transformed 
into one satisfying PO by rearranging the order of the rule applications. 
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Proposition 5. For every logic (L1...L,Z), Algorithm 1 runs in CONP. 


Proof. The algorithm is presented in the form of a non-deterministic Turing 
machine with only universal states (that is, states that are accepting if every 
transition leads to some accepting state), thus in order to prove that it runs 
in CONP, we need to show that every computation takes polynomial time. Let 
H be the input hypersequent and n be the size of H defined as the sum of the 
lengths of the formulas occurring in it. Since every backward application of a rule 
introduces a formula or a component, the number of possible rule applications, 
whence the number of computation steps, is bounded by the maximal length 
of the hypersequents that can be generated by the procedure. Given that all 
formulas occurring in a hypersequent are subformulas of some formulas occurring 
in H, and that the LLCC avoids multiple occurrences of the same formulas in 
the same components, every component has length at most O(n). Moreover, 
new components are generated by a modal formula or a pair of modal formulas. 
Because of the LLCC, no matter in which component their occur, the same 
formula or pair of formulas cannot generate more than one component. Then 
the number of components is bounded by O(n) + O(n) + O(n?). It follows that 
every hypersequent has a maximal length of O(n?). Finally, checking that a 
premiss does not violate the LLCC takes polynomial time in the length of the 
conclusion. Thus the whole execution takes polynomial time. 


Algorithm 1: Decision procedure for derivability in H(L;...L,Z). 


Input: A hypersequent H and the code of a calculus H(L1...L,Z). 
Output: derivable, if H is derivable; a hypersequent otherwise. 


if there is a component T > A in H with LET or PAN A z then 
return derivable and halt; 

else if there is a rule backward applicable to H respecting the LLCC then 
pick the first applicable rule according to PO; 

universally choose a premiss G of this rule application; 

check that the premiss does not violate the LLCC; 

check recursively whether G is derivable, output the answer and halt; 
else 

return H and halt; 

10 end 


co 0 -d:100 BRWN BE 


In order for the procedure to succeed, it is necessary that all executions 
terminate on an initial hypersequent, hence a single failed execution is sufficient 
to ensure the non-derivability of the input hypersequent. In this latter case, the 
procedure constructs a hypersequent which is not initial and it is such that no 
rule is backward applicable to it without violating the LLCC. We call such a 
hypersequent saturated. We now show that from a saturated hypersequent we 
can extract a countermodel of the input hypersequent. 
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Definition 6. Let H = D > A, |... | Tk = Ak be a saturated hyperse- 
quent returned by Algorithm 1 on input G and H(Li...L,Z). For all formulas B 
occurring in H and all 1 <i € n, we define 


[B]; = (| B € Ih}; 
W\{6| BE Ach, if lL; is not monotonic; 


[B]: = M 7 
W, if L; is monotonic; 
_ {W}, if there is j such that j = i or (i,j) € Z*, and Nj € Lj; 
‘ 0, otherwise. 


Then the model M = (W, Mı, ..., Nn, V) is defined with W = (£ | Te > A; € H}; 
for all p € Atm, V(p) = {L | p € Te}; and for alll € i € n and all 1 € £ € k, 


Ni(£) = ni U {a € W | there is O;B € Iy such that j = i or (j,i) € Z*, 
and |B]; Ca € [B];]. 


Proposition 6. Let H be a saturated hypersequent returned by Algorithm 1 on 
input G and H(Li...L,Z), and M be the model defined on the basis of H as in 
Definition 6. Then for all formulas B and all worlds £ of M, it holds: 


- if B € I, then MGUIE- B; 
- if B € Ag, then M,€Iy B. 


Moreover, M is a (Ly...L,Z)-model. 


Proof. The first claim is proved by induction on the construction of B. For B = p, 
B = L and B = C A^ D the proof is standard. Suppose B = O;C € I3. By i.h., 
[C]; € [C] € [C];. Then by definition, [C] € ;(Z), thus M,é Ik 0;C. Now 
suppose B = OC € Ay. If there is no D;D € Iy or O;D € I? with (j,i) € Z*, 
then if 7; = 0, then A;(£) = 0, hence M, £ IV. OC. If instead n; = {W}, then 
Ni(£) = {W}, moreover by Definition 3, n; € S(Li...L,Z), hence by Definition 
4, n; € H(Li...L,Z). Thus, since H is saturated, there is L5, = Am in H where 
C € Am, then by i.h., M,m If C, hence [C] 4 W, thus [C] € ;(£), hence 
M, £ IY. OC. Otherwise let 4; D € I; with j = i or (j,i) € Z*. If L; is monotonic, 
then by the rule mj; there is Im => Am in H such that D € Im and C € Am, 
while if L; is not monotonic, then by the rule ej; there is I’m — Am in H such 
that D € Im and C € Am, or C € Im and D € Am. In the first case, by i.h., 
|D]; € [C], and in the second case, | DJ; Z [C] or [C] Z [D] ;. Since this holds 
for all L1; D € I? with j =i or (j,i JET, [C] € N;(£), thus M, £ I 
We now prove that M is a (Li...L,Z)-model. From the definition of Ni; it 
follows immediately that (I i AD is satisfied for all (i, j) € Z*, that (Mi-c) is 
satisfied if M; € Li, and that (N;-c) is satisfied if N; € L;. We Shaw (D;-c) as an 
example for the other conditions Suppose that D; € L; and, by contradiction, 
a € N;(£) and W \ a € N;(£). By def. of the monomodal calculi, d; € S.L; or 
md; € S.L;. Moreover, by def. of N;, there is L1; B € I? s.t. j = i or (j,i) € Z*, 
and [B]; C a € [B];, and either there is L1,C c Tı s.t. u = i or (u,i) € T*, and 
Clu CW\ac (Cla, which implies | B|;|C |, = 0 and W\[B];AW\[C]u = 
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H|PUASA|5,AS II H|PSUuA,A| >A H|T,UA, A> A 
4|nuA—A|x2n "^" HI|PSUAA * A4|nuA-A 


L 


Fig. 5. Hypersequent rules for universal modality. 


0, or W NV o. = W and n; = {W}. There are four possible cases. (1) If j = u 
and B = C, then by Definition 3, d; € S(Li...L,Z) or pj € S(Li...L,Z), hence 
by Definition 4, d; € H(Li..L,Z) or p; € H(Li...L4Z). Thus by saturation of 
H, there is Im > Am in H st. B € Im or B € Am. Then m € |B]; or 
m € WN[B];. Since | B]; = |C]|, and [B]; = [C]u, this gives a contradiction. 
(2) If j = u and B # C, by Definition 3 and 4 we have d; € H(L1...L,Z) 
or md; € H(L;...L,Z). (3) If j # u, by Definition 3 and 4, dj, € H(Ly...L,Z) 
or md;, € H(Li...L,Z). In both cases, by saturation there is Im — Am in 
H st. B,C € Im or B,C € Am, which implies m € |B]; O |C]; or m € 
W \ [B]; AW \ [C],;, giving a contradiction. (4) W V o = W and gy = {W}, 
that is a = Ø. By Definition 3 and 4, p; € H(Li...L,Z). Thus there is Im > Am 
in H s.t. B € Im, then | B]; #0, then a ¥ 0, giving a contradiction. It follows 
that a € N;(£) or W\ a € N;(£). 


Note that the model M of Proposition 6 is also a countermodel for the input 
hypersequent G. Indeed, since backward rule applications never delete formulas 
or components, for all components I => A in G, there is M > O in H such that 
set(I”) C set(I7) and set(A) C set(O). Thus the world corresponding to H > O 
in M falsifies also [ = A. In the light of this model extraction, Algorithm 1 
can be easily reformulated in order to provide a NP decision procedure for the 
satisfiability problem in (Ly...L,Z), with the algorithm taking as input hyperse- 
quents of the form A —. On the basis of the above results, we can conclude the 
following. 


Theorem 3. The validity problem for (Ly...L,Z) is CONP-complete. 


5 Adding the Universal Modality 


As we have seen, hypersequents cannot be interpreted in the language of NNMLs. 
The reason is that the hypersequent construct “|” semantically corresponds to a 
disjunction of validities of sequents. In order to make the hypersequent calculi 
fully internal, we now extend the language with a universal modality U, and 
add to the calculi suitable hypersequent rules for it. This operation allows us 
to treat another kind of logic combinations, namely the combination of NNMLs 
whose common language also contains U (together with the propositional vari- 
ables and the Boolean connectives). Differently from the combinations intro- 
duced in Sect. 2, we define these logic combinations not based on the axiomatic 
systems, but based on the hypersequent calculi. We show that this extension of 
the calculi still provides a CONP proof search procedure, and also allows one 
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to extract suitable countermodels. Based on the hypersequent calculi and the 
formula interpretation of the hypersequents, we also provide an axiomatisation 
for the resulting logics. 

Let £L[O)1,...,n|4 be the language containing the modalities O1, ..., Op as 
well as U. Hypersequents are now interpreted in £{),...,0,|/4 by considering 
the standard formula interpretation of hypersequent calculi for S5 [2,38]: 


(QD > Ai |... | In > An) =U(A D > \V A) v.. VU(A T. MA) 


Moreover, let L1, ..., Ln be n non-normal monomodal logics respectively formu- 
lated in the languages £[L], ..., C[L14], with O1, ..., On all distinct but sharing 
the same propositional variables, Boolean operators, and universal modality U. 


Definition 7. For every calculus H(Li...L47) from Sect. 4, the corresponding 
calculus H(Li...L,7)^ in £[Lh, ..., On] contains the rules of Bids .L4Z), plus 
the rules UL, Ug and U in Fig, 5. Moreover, we call (Li...Ln 7)“ -model any 
(Li...L5Z)-model (Definition 2), where U is interpreted as M, w l- UA if and 
only if M,v IF- A for all worlds v of M. 


The rules for U are taken from [38] (see also [39] for similar rules, while 
different hypersequent rules for S5 can be found in [29] and references therein). 
We start by showing that some of the results proved for H(L;...L, 7) immediately 
extend to H(Ly...L,Z)%. 


Proposition 7. If H is derivable in H(Li...L,Z)", then H is valid in every 
(Li...L, Z)" -model. 


Proof. By extending the proof of Proposition 2. We consider as an example the 
rule UL: Suppose that M = H| T,UA s>s A| X, A> I.If M E H|T,UA > 
A we are done. Otherwise M = X, A => II, and since M = UA or M E -UA, 
from M j T,UA => A we get M E UA. Then M E X 5 II. 


Proposition 8. Algorithm 1 on inputs H in L[O),...,On]4 and H(L,...L,, 2)" 
runs in CONP. 


Proof. The proof is exactly as the one of Proposition 5, observing that every 
formula UA can generate at most one component (cf. [32]). Note that LLCC 
and Algorithm 1 remain well-defined on the new inputs. 


Proposition 9. Let H = I3 — A, |... | Fx = Ay be a saturated hyper- 
sequent returned by Algorithm 1 on input G and H(Li;..L,Z)", and M = 
(W, Ni,- Nn, V) be the model defined on the basis of G as in Definition 6. 
Then for all formulas B of C[D; n|“ and all £ € W, it holds: if B € Ty, 
then M, LIF- B, and if B € Ap, den M, £V. B. Moreover, M is a (L...L, ZY“ - 


model. 


Proof. The proof extends the one of Proposition 6 with the case B = UC, which 
is standard: If UC € I7, then by UL and h, C € Im for all m € W, then by i.h., 
Mt, m l- C for all m € W, that is M, lF UC. If UC € Ap, then by Up there is 
Im => Am in with C € Am. By i.h., M,mlf C, thus M,L UC. 
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As before, on the basis of Proposition 9, we can obtain from the algo- 
rithm a NP decision procedure for satisfiability of £[0O1, ..., On] formulas in 
(Li...L, Z)"-models. As a further consequence, Proposition 9 entails that the 
calculi H(L;...L,Z)“ are complete with respect to the corresponding models. 
Indeed, if the proof search procedure fails on input H, then it constructs a satu- 
rated hypersequent G that extends H. From Proposition 9 we get a IH(L,...L, Z)"- 
countermodel of G, whence of H, which means that H is not (L;...L, Z)"-valid. 


Theorem 4. H is derivable in H(L;...L, 7)" with LLCC and PO if and only if 
H is valid in every (L1...L, 2) -model. 


We now take advantage of the completeness of the calculi H(L;...L,Z)" and 
of the formula interpretation of hypersequents to provide an axiomatisation for 
the corresponding logics. 


Definition 8. A logic (L...L,Z)" is axiomatically defined as the corresponding 
logic (L1...L,,Z) (Definition 1), but, for each 1 € i € n, replacing RE;, Mi, Ni, 
D; and P; with the corresponding axiom EY, MY, NY, D“ and P¥ below, and 
adding Ky, Tu, 5u and RNy (Sb axioms dor u): 


EY u(A— B)AU(B > A) — u(DiA > O;B) Ku u(A— B)AUuA—UuB 
MY u(A — B) u(QiA > Q,B) Tu UA—> A 

N^ uA— uA 5u UAVU-UA 

DY U(A— B)AU(B = A) ^ U(O;A > -0;-B) RNu CA - A 


P^ Uu-^A- u-U0;A 


uA 


T; is the only axiom that does not change. (L;...L,Z) is an extension of 
(Li..L,Z) as RE; is derivable in (Li...L,Z)" for all 1 < i € n, and Mi, Ni, Di 
or P; is derivable if, respectively, M", NA, DY or P" belongs to (Li...L, 7)". 
Consider as an example M;: From A^ B — A, by RNy, U(AAB — A), then by 
MY, u(Di(A ^ B) ^ D; A), thus by Ty, (A ^ B) >A. We now show that 
each logic (L;...L, Z)“ is equivalent to the corresponding calculus HH(L, ...L,, 7). 


Proposition 10. If A is derivable in (Ly...LnZ)“, then = A is derivable in 
H(L,...L,2)%, and if H is derivable in H(L,...L,Z)%, then (H) is derivable in 
(en mua n 


Proof. For the first claim, one can show that the axioms of (L,...L, Z)“ 

derivable in H(L;...L, Z)“. For the second claim, we prove that for every rule 
H/H! or Hı, H3//H' of H(Li...L,Z)", the corresponding rule o(H)/i(H’) or 
(Hı), ((H2)/ ((H') is derivable in (Ly...L,Z)“. The proof follows the lines of the 
proof of Theorem 2 (=), considering that depending on the logics, additional 
axioms such as U(A —^ B) AU(B — A) => U(O,;A — -L15^B) can be derivable. 


Finally, considering the properties of the calculi H(L;...L,, Z)" and their equiv- 
alence with the systems (Li...L,Z)", we can conclude the following. 


Theorem 5. (Li..L,Z)" is sound and complete with respect to the class of all 
(Li...L, Z)"-models. Moreover, the validity problem for (Li...L,Z)" is CONP- 
complete. 
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6 Conclusion 


We have proved that the validity/derivability problem for fusions of standard 
CONP NNMLs, as well as for their extensions with interaction axioms of the 
form L1; A — L1; A, remains CONP-complete, and that the same result holds for 
combinations of logics sharing also a universal modality. In this respect, combi- 
nations of NNMLs display a different behaviour than combinations of standard 
CONP normal logics such as S5, KD45, K4.3 and $4.3, whose fusions are instead 
PSPACE. 

As we have seen, fully invertible hypersequent calculi offer a good point of 
view on the problem, as they allow one to decompose its global complexity into 
the one of the single rule applications. As a further advantage, the hypersequent 
calculi H(L;...L,,Z) allow one to explicitly construct derivations of valid hyper- 
sequents/formulas, as well as to construct countermodels of non-valid hyperse- 
quents/formulas. Furthermore, after the integration of the rules for U from [38], 
the calculi H(L,...L,, Z)" directly construct countermodels where both U and the 
neighbourhood functions behave correctly. This can be compared with alterna- 
tive techniques such as the submodel generation [5] that might be non-trivial to 
apply in presence of the neighbourhood functions. 

On the other hand, the definition of cut-free calculi for the logics with inter- 
action axioms requires an intricate combinatorial analysis, in future work we 
would like to study calculi that allow for a modular definition of the logic com- 
binations. We would also like to study logics with iterative axioms such as 4, 5, 
B, as well as product-like combinations for NNMLs. 
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Abstract. We present resolution calculi for the cube of classical non- 
normal modal logics. The calculi are based on a simple clausal form that 
comprises both local and global clauses. Any formula can be efficiently 
transformed into a small set of clauses. The calculi contain uniform rules 
and provide a decision procedure for all logics. Their completeness is based 
on a new and crucial notion of inconsistency predicate, needed to ensure 
the usual closure properties of maximal consistent sets. As far as we know 
the calculi presented here are the first resolution calculi for this class of 
logics. 


Keywords: Modal Logic - Automated Reasoning - Resolution 


1 Introduction 


Non-normal modal logics (NNMLs) have been studied since the seminal work 
by Kripke in the 1960s, and then developed prominently by Montague, Sege- 
berg, Scott, and Chellas in the 1970s. They are called non-normal as they do 
not satisfy all axioms of minimal normal modal logic K. NNMLs are used in 
a variety of contexts. In epistemic reasoning they offer a simple (preliminary) 
solution to the problem of logical omniscience. In deontic logic, they allow to 
avoid some well-known paradoxes of classical deontic logic, and enable us to 
represent conflicting obligations. Multi-agent non-normal modalities have been 
used to capture notions of agency and ability, where O¢ is read as “the agent can 
bring about ¢”, for a formula ¢ [12]. Moreover, the non-normal monotonic logic 
EM coincides with the 2-agent case of Pauly’s coalition logic with determinacy. 
Finally NNMLs are the formalism of choice to express normality and typicality, 
or truth in most of the cases, as a modality [43]. 

In this paper we consider the classical cube of NNMLs. It comprises the 
minimal modal logic E, the smallest modal logic closed under congruence (only), 
and extensions of E with one or more of the axioms C, M and N. This results in a 
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cube of 8 systems, where the stronger one (defined by all three axioms M, N, and 
C) is just the normal modal logic K. NNMLs have a well-understood semantics 
defined in terms of neighbourhood models [7]. In these models, each world w is 
associated with a set of neighbourhoods N(w), where each neighbourhood is a 
set of worlds itself. If we accept the traditional interpretation of a proposition 
as the set of worlds in which it holds (its truth set), we can think of N(w) as 
a set of propositions associated with w, i.e. precisely those propositions that 
are necessary, known, obligatory, ...at the world w. The classical cube arises 
by imposing closure properties on the set of neighbourhoods (or propositions) 
associated with a world, and captured syntactically by the axioms. 

From an automated reasoning and proof theoretic view, NNMLs are not as 
well studied as normal modal logics. Cut-free Gentzen calculi for NNML have 
been studied in [22,23,25,41,42]. Labelled calculi of different kinds have been 
proposed in [10,15,37], where the neighbourhood semantics is represented syn- 
tactically through two different labels, for worlds and neighbourhoods. Situated 
between these two approaches, there are calculi that augment sequents with addi- 
tional structure, but without fully representing the neighbourhood semantics: 
linear nested sequents with an additional nesting operator [26] and structured 
hypersequents [9]. All these calculi have different purposes and properties. Cut- 
free Gentzen calculi typically provide a straightforward decision procedure, in 
some cases of optimal complexity, and help to prove interpolation [42]. Labelled 
calculi, and also the approach taken in [9], allow us to extract countermodels of 
unprovable sequents. The structured calculi of [26] provide a uniform and mod- 
ular formulation of NNML when extended with axioms of the standard modal 
cube. An algorithmic alternative to deduction has been proposed in [16], where 
the satisfiability problem in NNML is reduced to a set of SAT problems. This 
essentially implements the proof of the complexity bound for these logics given 
by Vardi [52]. 

'This paper presents a different approach to reasoning in NNMLs and intro- 
duces resolution calculi for all logics in the NNML cube. Resolution methods 
usually rely on normal forms, which not only helps in the design of the inference 
rules, but also allow for simple implementations. Moreover, although the com- 
plexity of the method is high — proofs might be exponential in the size of the input 
for some problems [21] — resolution for classical logics is widely implemented 
[11,17,27,28,47,49,50] with excellent performance in practice [48]. Resolution 
calculi have been designed for several modal logics, including the normal modal 
logic K and its extensions in the modal cube, either as direct method or using 
translations into more expressive logics, e.g. as in [1-6,8,13,14,29-31,36] and 
[38-40]. Recent evaluations [18,31—35,44] show that resolution-based provers for 
K also perform well when compared with tableaux, SAT, and translation based 
procedures for modal logics [11,17—20,24,47,49—51]. 

'To the best of our knowledge, ours are the first resolution calculi for NNMLs. 
We use a very simple, congruential translation of formulae into sets of local and 
global clauses, where the latter are required to hold at any point in the model. 
Completeness is established via canonical models, and the main conceptual nov- 
elty is the analysis of maximally consistent sets using inconsistency predicates. 
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As we demonstrate by example, our modal resolution calculus does not derive 
the modal literal ~l from a set C of clauses if C U {l} is inconsistent. Rather, it 
derives a (set of) literals e such that (e, l} are inconsistent over C. This allows us 
to show that maximally consistent sets are negation complete and disjunction 
complete. Also, inconsistency predicates allow us to lift statements of global sat- 
isfiability of clauses to resolution derivability, which in turn establishes premisses 
of resolution rules that we need to establish completeness. 

'The paper is structured as follows. In the next section we present the language 
of NNMLs and their axiomatisations. We then present the calculi for each modal 
logic in the NNML cube in Sect. 3, together with results for termination and 
soundness. Completeness is shown in Sect.4. The completeness results show 
that proof systems for stronger logics are obtained modularly by adding rules to 
the weaker systems. We conclude in Sect. 5. 


2 Syntax, Semantics, and Axiomatisation 


Definition 1. We fix a countable set Y of propositional variables. The language 
L of the basic unimodal logic is given by the grammar £ 2 $,wv :— p | 7¢ | O¢ | 
o V w where p € Y. 


Other connectives T, L, ^A, — and © are defined in the standard way, and we use 
the usual operator precedence A, V, —, — from strongest to weakest. We denote 
the set of subformulae of ó € £ and their negations by subf(¢), where leading 
double negations are eliminated. 


Terminology 2. Variables and their negations are called propositional literals, 
and modal literals are of the form Op or —Op where p € Y is a propositional 
variable. A literal is either a propositional or a modal literal. We write Lit(V) 
for the set of literals with variables in V. 


Formulae are interpreted with respect to neighbourhood models. 


Definition 3. A neighbourhood frame is a pair (W, N) where W is a set (of 
worlds) and N : W — P(P(W)) is a (neighbourhood) function, where P(S) 
denotes the powerset of S. A neighbourhood model is a neighbourhood frame 
endowed with a valuation, that is, a triple (W, N,0) where (W, N) is a neigh- 
bourhood frame and 0 : V > P(W) is a (valuation) function. 


Definition 4. Truth of a formula $ € £ at a world w € W of a neighbourhood 
model M — (W, N,0) is given inductively by: 


M,w =p € w € 0(p) 
MwE@éVy —M,wE$orM,wEwv 
M,wE 7d — M,wl£ó 
M,w = u$ = [elu € N(w) 


where [daz = (w € W | M,w E 9} is the truth set of 9. 
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Table 1. Axioms and frame properties, where (W, N) is a frame, o, 8 CW, w € W. 


Axiom Frame Property 
C: (D$ ^ OW) — O(@ ^ v) | Closed under intersection: 
a € N(w) AB € N(w) ^5 ange N(w) 


M: O(¢ ^ wv) > ue Supplemented: a € N(w) ^a C 8 —^ 8 € N(w) 
N: oT Contains the unit: W € N(w) 
EMCN =K 
EMC = ae | in m 
m = "di 


Fig. 1. The classical modal cube. Arrows indicate proper inclusion. 


A formula $ € £ is satisfiable in a neighbourhood model M = (W, N,0) if 
there is w € W such that M, w = $. A set P= (y,..., Yn}, n EN, is satisfiable 
if and only if there is a neighbourhood model (W, N, 0) and a world w € W such 
that M,w |= qi, for all 1 € i € n. A formula 6$ is satisfiable in a class C of 
neighbourhood models if there exists M € C such that $ is satisfiable in M. We 
denote by £ the class of all neighbourhood models. 

The axiomatisation for the minimal logic E comprises the axiomatisation of 
classical propositional logic and the rule RE: from $ — w derive O¢ — Ow. We 
also consider the extensions of E with the axioms given in Table 1. Neighbour- 
hood models modularly characterise the classical cube of NNMLs given in Fig. 1 
in the sense that a formula $ is a theorem of E if and only if it is valid in the 
class € of all neighbourhood models [7]. Furthermore, $ is a theorem of EX with 
X C {C,M,N} if and only if it is valid in the class of neighbourhood models that 
satisfy each of the additional axioms, whose corresponding frame conditions are 
given in Table 1. That is, the following holds [7, Theorem 7.5]. 


Theorem 5. The logic E (resp. EC, EM, EN, EMC, ECN, EMN, EMCN) 
is characterised by the class € (resp. £C, EM, EN, EMC, ECN, EMN, £ MCN ) 
of neighbourhood models. 


We also note that axioms M and N are, respectively, equivalent to the rules 
RM (¢ — v / O¢ > OW) and RN (¢ / O¢), and that the axiom K (O(¢ > 
V) — O¢ — Ow) is derivable from M and C. As a consequence, the top system 
EMON is equivalent to K, the weakest normal modal logic [7, Theorem 8.9]. 
Monotonicity and aggregation correspond to regularity, that is, the system with 
both M and C is equivalent to the regular system R [7, Theorem 8.11]. 

We conclude this section by providing the well-known results about the com- 
plexity of the satisfiability problem for the logics here considered [52]. 
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Theorem 6. Let EX with X C {M,N}. The satisfiability problem for EX is in 
NP and the satisfiability problem for EC X is in PSPACE. 


3 Resolution Calculi 


Our resolution calculi operates over sets of formulae in a specific normal form: 
disjunctions of (propositional or modal) literals. Formulae can be transformed 
into this form by means of renaming [45] which creates new propositions together 
with their definitions in the resulting formula. The idea here is simple. To trans- 
late the formula O¢, say, to clausal form, we stipulate O¢ġ to be equivalent to 
p, and additionally p to be equivalent to o — but the latter has to be true in 
every world of a neighbourhood model. Hence O@ is satisfiable if and only if 
the formulae Op and G(p — 4$) are satisfiable. Here G(-) is a global modal- 
ity that stipulates that a formula is true at every world in a model. For a 
neighbourhood model (W, N,0), w € W, and a formula ¢ € £, we have that 
M,w E G(9) <= M,w' E $, for all w € W, where M,w E- ó is as in 
Definition 4. Alternatively (and equivalently), M, w = G(¢) o] = 
A clause is a formula in one of the following forms: 


— local clauses: V; 1;, where the l; are propositional or modal literals; or 
— global clauses: G(V; l;), where the l; are propositional or modal literals. 


We often think of a clause as a set of literals and sometimes use set notation, 
that is, we identify lı V ... V ln with the set {l1,...,l,}, for n € N. This allows 
us to also use set theoretic notation on clauses. For instance, for a literal | and 
clause y, we may write l € y and say that l is an element of y. Similarly, yı C ye 
means that all literals of ^ are literals of y2. 

It is easy to see that every formula can be represented as a set of clauses. 
As most logics in the cube are non-monotonic, we only replace the argument of 
with an equivalent formula. As a consequence, the rewriting steps and intro- 
duction of new variables by renaming consistently use bi-implications (e). For 
a fixed formula ¢ € L, we let n = ng : subf(¢) — V V V(9) be an injective 
renaming function that associates a fresh propositional variable to every (possi- 
bly negated) subformula of 9. 


Proposition 7. A formula ¢ is satisfiable if, and only if, {n(¢)} U R(G(n(à) e 
$)) is satisfiable, where R is defined as follows and t, p € V: 


R(G(t = p)) = (G(^t V p), G(t V ^p)] 
R(G(t > ^u)) = (G(^t V ^n(v)), GE V n(9)) y U R(G(n() > v)) 
R(G(t > PV v/)) = {Gt V n) V n(/)), GEV noun G(t V ^n(v/))] 
U R(G((v) e v)) U R(GG(v/) e v^)) 
R(G(t > OY)) = {Gt v an(v)), G(t v ^0m(»))] U RCG) = v)) 


Moreover, the size of {n(d)} U (R(G(n(9) = ¢))} is linear on the size of 9. 
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The proof is standard. We can transform a model that satisfies ó into a model 
where 7(@) has exactly the same truth set as ¢ by just changing the valuation 
of the renaming symbol. Conversely, models that satisfy the transformation are 
automatically models of ¢. The number of recursive calls is proportional to the 
number of subformulae of ¢, hence the linear complexity bound. 

The inference rules for the modal logic E and its extensions are given in 
Table 2. In the table, C and D are clauses, l are literals and p are propositional 
variables, possibly subscripted or primed. Inference rules are presented using 
standard notation with premisses and conclusion, called the resolvent separated 
by a horizontal line. Every inference rule except G2L has a local and a global 
variant, expressed by a leading L (resp. G) in its name. The second letter of the 
rule name indicates the logic axiomatised by the rule, so that e.g. GMRES is 
sound for the monotone modal logic EM. In the following, we give the intuition 
for the global inference rules that can be readily translated to their local variants. 
We consider the following four groups of inference rules. 

- Inference rules for all classical modal logics: The rule GRES is a syntactical 
variation of the propositional resolution rule [46], the only differences being that 
reasoning is carried out within the global modality and that l occurring in the 
premisses may be a modal literal. The rule G2L asserts that local satisfiability is 
a consequence of its global counterpart. The rule GERES expresses that Op and 
—Up' are inconsistent whenever p and p' are globally equivalent, i.e. have the 
same truth set. By virtue of the side condition, we have three non-redundant 
instances: (1) G(C) = G(-p V p') and G(C") = G(p V 7p’), which means that 
p and p’ are semantically equivalent; (2) G(C) = G(-p) and G(C’) = G(-p^), 
in which case p and p' are globally false and so semantically equivalent; or (3) 
G(C) = G(p’) and G(C") = G(p), where p and p' are semantically equivalent as 
they are both globally true. All other instances are already contradictory or can 
be reduced to the above by means of GRES. 

- Inference rules for classical modal logics with aggregation that validate the 
axiom C. The rules GCRES1 and GCRES2 are sound in classical modal logics 
containing the axiom C. They are similar to the rule GERES, but the side con- 
ditions for clauses C; ensure that (pi ^... ^ ps €» p) is globally true. 

- Inference rules for monotone classical modal logics that validate the axiom M: 
The rule GMRES is sound in logics that are monotone. This rule is a weaker 
version of GERES where congruence is required. For monotone logics, the rule 
RM (from ¢ — v derive 0¢ — Oy) holds. The side condition gives three concrete 
instances: (1) C = G(^pV p^), thus, from Op in the first premiss we have that Op’ 
holds, which contradicts with ^Up' in the second premiss; (2) C = G(^p), that is, 
p is globally false and, ex falso sequitur quodlibet, we again have that Op’ holds, 
which contradicts the modal literal in the second premiss; or (3) C = G(p’), from 
which we can derive ~0Op, using the contrapositive of RM, which contradicts with 
the modal literal in the first premiss. 

- Inference rules for classical modal logics with the unit that validate the axiom 
N: The rule GNRES is sound for these logics, as the premiss G(p) says that ~Op 
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Table 2. Inference Rules 


LRES GRES G2L LERES GERES 
(D v1) G(Dvl) G(D)  (Dvop) G(D V Op) 
(Dvd) G(Dv-) D  (D'v-up) G(D' v np) 
(DvD)  G(DvD) G(C) G(C) 
G(C) G(C’) 
(DV D^) G(D v D’) 
where C C (=p V p) and C' C (p V vp’) 
LMRES GMRES LNRES GNRES 
(D v Op) G(D V Op) (Dv-up)  G(Dv -üp) 
(D'voap) | G(D'v-üup) G(p) G(p) 
G(C) G(C) D G(D) 
(D v D) G(D v D^) 
where C C (=p V p’) 
LCRES1 GCRES1 
(Di V üp1) G(Di V Op1) 
(Dn V Opn) G(Dn V Opn) 
(D' v 2üp) G(D' v =0p) 
G(^p V...Vopa Vp) | G(om V... V ops V p) 
G(C:) G(C:) 
G(Cn) G(Cn) 


(Di V ... V Da V D’) 


G(Di V... V Dn V D) 
where C; C (ap V pi) and pi € Ci 


LCRES2 GCRES2 
(Di V üp1) G(D, V Opi) 
(Dn V Opn) G(Dn V Opn) 
(D' v 2üp) G(D' v 2üp) 
G(opi V... V ^pa) G(opi V... V ^pa) 
G(^p) G(^p) 


(Di V ... V Da V D) 


G(Di V ... V Da V D^) 


(or its global occurrence) cannot be satisfied, therefore it must be the case that 
the resolvent G(.D) is satisfied. 

The basic resolution calculus, RESg, comprises the inference rules LRES, 
GRES, G2L, LERES and GERES. For the extensions of E, the calculi can be 
obtained in a modular way, that is, by just adding the rules that are sound 
with respect to the axioms for the logic. However, it is easy to see that, for 
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Table 3. Inference rules corresponding to each logic 


Calculus | Inference Rules 

RESg LRES, GRES, G2L, LERES, GERES 

RESegc LRES, GRES, G2L, LCRES1, GCRES1, LCRES2, GCRES2 

RESEm LRES, GRES, G2L, LMRES, GMRES 

RESEN LRES, GRES, G2L, LERES, GERES, LNRES, GNRES 

RESgwc | LRES, GRES, G2L, LCRES1, GCRES1, LCRES2, GCRES2, LMRES, GMRES 
RESgcw | LRES, GRES, G2L, LCRES1, GCRES1, LCRES2, GCRES2, LNRES, GNRES 
RESgwuwN |LRES, GRES, G2L, LMRES, GMRES, LNRES, GNRES 

RESgw cw | LRES, GRES, G2L,_CRES1, GCRES1, LCRES2, GCRES2, LMRES, GMRES, 
LNRES, GNRES 


instance, when considering monotone logics, whenever LERES or GERES can be 
applied, the rules LMRES or GMRES can also be applied, generating exactly the 
same resolvent. Thus, LERES and GERES are both redundant in the calculi for 
monotone logics. In Table 3 we give the rules for the calculus for each considered 
logic, but where redundant inference rules are suppressed. We denote by RES, 
the resolution calculus for a particular logic L. 

The following definitions are needed before we establish our main results. 


Definition 8. Let C be a finite set of clauses and L = EX with X C {C,M,N}. 
A derivation from C in RES, is a sequence of sets of clauses Co, C1,... where 
Co = C and for every i € N, Cj41 = C;jU(D] where the resolvent D was obtained 
from C; by applying the rules of RES, given in Table3. We require that D C; 
and that D is not a tautology (that is, a clause containing l and ~l). 


Definition 9. Let C be a finite set of clauses and C9, C,... a derivation from C 
in RES, where L = EX with X C {C,M,N}. If there is k € N such that e € Cx, 
then Co, C1, ..., Cx is a refutation of C. If there is k € N such that any resolvent 
D obtained from Cj, by applying the rules of RES, given in Table 3 to C; is such 
that D € Ck, then C; is saturated, and Cj is the saturation of C. 


'The following two theorems establish termination and soundness of the calculi. 


Theorem 10. Let L= EX with X C {C,M,N}, C be a finite set of clauses and 
Co, C4,... be a derivation from C in RES,. Then there is k € N such that Cp is 
saturated, or Co, C1, ..., Cy is a refutation. 


As there is a finite number of literals in C and no inference rule introduces new 
literals, there is also an upper bound on the number of clauses that can be 
generated by RES, . Hence either the empty clause is generated at some Cj, or no 
new clauses can be generated. Thus, any derivation in RES, terminates. 


Theorem 11. Let L= EX with X C (C,M,N). Then RES, is sound. 
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The proof is by induction on the number of steps of a derivation: as every step 
of a derivation is satisfiability preserving, as argued above, then all derivations 
from satisfiable sets of clauses only generate satisfiable sets of clauses. 

We present two examples before establishing completeness in the next section. 


Example 12. 


We show that 


(pV q) > 


(pV ^ 


(a V ^a) V q) is valid in the 


logic EN by using the calculus RESgn. For the refutation, we negate the formula 


and obtain ¢ = 


(pV q) \7O(pV 


clauses 


(a V ^a) V q). 
resulting from the transformation, where we have that $4 = 


We show next the relevant 
(p V q), 


$5 = 7O(pV ^ü(a V ^a) V q), and ¢3 = (p V ^ü(a V ^a) V q): 
1. ty 8. G(tg, V ADt¢, ) 
2. G(=ty V tg, ) 9. a V tp V tq V 7Otav-a) 
3. G(aty V toa) 10. G(tg, t) 
4. G(ota, V Otpvq) 11. G(ty, V `ta) 
5. G(^tpvq V tp V tq) 12. G(t ava un ata ) 
6. G(tpvq V Sty) 13. G(t ava Vta) 
T. Gltpva V `ta) 14. G(t-a V t4) 
'The steps of the refutation are as follows: 
15. G(tavaa V ta) [GRES, 13, 14] 21. G(ty, V ^t5yq) [GRES, 20, 10] 
16. G(tayaa) [GRES, 15,12] 22. G(aty, V aty,) [GERES, 4, 8, 19, 21] 
17. G(-tg, V tp V ta) [GNRES,16,9] 23. G(-tg V 7tg,) [GRES, 22, 3] 
18. G(-tg, V "M V ty) [GRES, 17, 7] 24. G(-t) [GRES, 23, 2] 
19. DN V tpvq) [GRES, 18, 6] 25. ^t, [G2L, 24] 
20. G(t4, V “tpvq V tp) [GRES, 11, 5] 26. € [LRES, 25, 1) 
Example 13. We now show that ó = Op ^ Og — O(p A q) is valid in EC. The 


transformation of ^ produces, among others, Clauses (1)-(7). The refutation 
is refreshingly short: it is obtained in two steps after an application of GCRESI: 


4 Completeness 


1355 8r Gb VE) 
2. G(2ts V Otp) 7. G(tyAq V “tp V ata) 
3. G(aty V Ot,) 8. G(aty 

4. G(t V 2UOtpAq) 9. tg 

5. G^bgaa V tp) 10. € 


[GCRES1, 2, 3, 4,5, 6, 7] 
[G2L, 8] 
[LRES, 9, 1] 


We prove completeness by means of a canonical model construction. Our max- 
imally consistent sets comprise both local and global clauses. The proof of the 
truth lemma hinges on the fact that maximally consistent sets are negation com- 
plete, that is, they contain either a literal or its negation. In completeness proofs 
of Hilbert systems, the argument is as follows. If M is a maximally consistent 


Resolution Calculi for Non-normal Modal Logics 331 


set, and neither ¢ € M nor ~ € M, then both M U (à) and M U (^9) are 
inconsistent, that is, MU ($6) FL and MU (^49) FL. Hence M+ 2ó and MF ¢ 
which contradicts the consistency of M, so that our supposition that neither 
$9 € M nor ^$ € M must have been false. 

However, this argument is not available for resolution calculi, where we take 
a set C of local or global clauses to be consistent if C 7 e. In the simplest calculus, 
RESz, consider the set C = (G(^pVq), G(^qvp), ^q). Then clearly CU{0p} F e, 
but it is patently false that C F Op. 

However, something nearly as useful eventuates: We have that C F 70g, 
and Op and —Og together are inconsistent over C (using a single application of 
LERES). That is, while we cannot derive —^Up, at least we can derive a literal, 
here =O, that is inconsistent with Op over C. This is captured in the notion 
of inconsistency predicate, where, in full generality, we need to consider the 
inconsistency of n-element sets to accommodate instances of LNRES (where we 
are going to designate singleton sets as inconsistent) and the LCRES rules (where 
inconsistent sets can contain any finite number of elements). We formulate this 
for an arbitrary resolution calculus. 


Definition 14. A modal resolution calculus is a relation F between clause sets 
and clauses that is closed under propositional resolution. That is, C - D V land 
Ct D' v 4l then C+ D v D', for all local clauses D and literals J. Let H be 
a modal resolution calculus and C be a set of global clauses. An inconsistency 
predicate for C and F is a subset P C P(Lit(V)) such that the following three 
conditions hold: 


1. Every element I = {l1,...,ln} € P is inconsistent over C, that is, there are 
global clauses 1,...,1I5 such that (1I3,..., D, l,..., l5] F € and C F T; for 
all <i<k. 

2. The set P is closed under cut, that is AU B € P whenever AU {1} € P and 
BU (4 € P. 

3. Propositional literals are only inconsistent with their negations, ie. A — 
(p, ^p) whenever p € A € P for a propositional variable p € V. 


'The formulation of inconsistency predicate instantiates to all modal calculi in 
the paper, where for a calculus RES, we say that C - D if D is in the saturation 
of C. We think of an element {l1,...,ln} of an inconsistency predicate not as a 
clause, but rather as a conjunction of singleton clauses (that is inconsistent as 
per the first requirement). The second requirement formalises the semantically 
sound condition (], a; N N; 6; = 9 whenever x N N;ai = 0 = (W\ 2) Nf), b; 
for subsets z,a;, b; C W of a set W. We require that, in the formulation of the 
condition, that AU B is inconsistent, i.e., C proves a sufficient number of global 
clauses I’ that, together with AU B, allows us to derive the empty clause e. 

As an example, and a stepping stone to prove the completeness of classical 
modal logic, we have the following: 


Lemma 15. Lett be the calculus for classical modal logic and let C be a set of 
global clauses. Then the set Pg containing 
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- the set (1, ^l) for every (propositional or modal) literal l € Lit(V), and 
- the set {Op, 70g} for every pair p,q € V of propositions such that C + G(C) 
and Ct G(C") for sub-clauses C C (^p V q) and C' € (^q V p). 


is an inconsistency predicate fort and C. 


Proof (Sketch). The inconsistency requirement is clear, as every element of an 
inconsistency predicate is an instance of a resolution rule. For cut closure, apply 
GRES to premisses of a rule inducing a cut. 


The following definition is an adaptation of the deduction theorem to modal 
resolution calculi. The reader is encouraged to instantiate this to the case of the 
modal logic E (and the inconsistency predicate of Lemma 15), as we do in the 
example following the definition. 


Definition 16. An inconsistency predicate P is compatible with a modal reso- 
lution calculus F if for every local clause D and every (propositional or modal) 
literal | with C U {1} F D, either D = l or there is n > 0 and Dj,...,Dn, 
E4,..., En such that 


- D=D V-V d. 
— {l,e1,...,€n} € P for all e1,...,e, with e; € Ej. 


For the case of classical modal logic, the definition of compatibility takes the 
following form. 


Example 17. IfF is the resolution calculus for the classical modal logic E, the 
inconsistency predicate Pg from Lemma 15 is binary. As a consequence, the 
above definition can only be instantiated with n — 1. Hence Pg is compatible, 
if for all literals J and all local clauses D with C U {1} F D either D = l or there 
is a local clause E such that C - E V D and {l,e} € Pg for all e € E. 


As a second example, and to make further progress to completeness of the res- 
olution calculus | for classical modal logic, we establish that the inconsistency 
predicate Pg from Lemma 15 is indeed compatible. 


Lemma 18. The inconsistency relation Pg from Lemma 15 is compatible with 
the resolution calculus + for classical modal logic. 


The proof proceeds by induction on the derivation of C U (I) and is omitted. 

Finally, we can reap some of the benefits of our work, and take the next step 
towards showing that maximally consistent sets are negation complete, i.e. for 
every literal l, they contain either l or ~l. 


Lemma 19. Let C be a set of local or global clauses, l be a literal and P be a 
compatible inconsistency predicate. If CU {I} € and CU {al} F e, then CF e. 
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Proof. We demonstrate the proof for the special case of a binary inconsistency 
relation P, i.e. every set A € P has two elements. As C U {1} F e, we have a 
local clause E such that C + E, and {e,l1} € P for all e € E by compatibility. 
Similarly, as C U (^l) F e, we have a local clause E^ with {-l,e’} € P for all 
e' € E'. If either E = e or E’ = e we are done. If not, we have (e,e') € P for 
all e € E and e' € F’ as P is cut closed. This allows us to construct a resolution 
proof of e from C+ E and Ct E’ as P is an inconsistency predicate. 


Remark 20. For classical modal logic, we have shown that C U (I) F D, then 
either D = lor C+ E V D where {l,e} € P for all e € E, where P is the 
inconsistency predicate from Lemma 15. 

One might hypothesise whether E can always be chosen to be a singleton, 
or at least a sub-singleton. We show, by means of example, that neither is the 
case. First, we cannot always choose E as singleton: For C = {p} and l = q, we 
have that C U {1} F p but we do not have C+ E V p for any singleton clause E 
(here, E — e satisfies the condition). 

We also cannot always choose E to be a sub-singleton clause. For example, 
put C = (2üuq V ^up V D, G(^p V q), G(p V 2q)). Then CU {Op} + D, but there 
is no sub-singleton clause E so that C - E v D. 


We have now collected all the preliminaries to define and investigate maximally 
consistent sets, i.e. the worlds of the canonical model. 


Definition 21. Let C be a set of global clauses. A local extension of C is a set 
M of clauses that extends C by local clauses only. That is, a local extension of 
C is a set M of clauses that satisfies (LJ € M | I global} = C. 

A local extension of C is maximally consistent if M is consistent (M y €) and 
every other consistent local extension of M’ of I that encompasses M (M' 2 M) 
satisfies M = M”. 


Calculi with a compatible inconsistency relation are negation complete. 


Lemma 22. Let - be a modal calculus with a compatible inconsistency relation, 
and let M be a maximally consistent local extension of a set C of global clauses. 
Then, for every (propositional or modal) literal l, we have l € M oral € M. 


Proof. If neither | € M nor =l € M, then MU {I} F e and MU (^) F e. 
Applying Lemma 19 now contradicts the consistency of M. 


As we have insisted that resolution calculi are closed under propositional reso- 
lution, they are also disjunction complete: 


Corollary 23. Let - be a modal resolution calculus with a compatible inconsis- 
tency relation, and let M be a maximally consistent local extension of a set C of 
global clauses. If l4 V --- Vl € M, then there exists 1 < i € n such that l; € M. 


Proof. If neither l; € M, then all ~l; € M and we conclude inconsistency of M. 
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Compatible inconsistency predicates allow us to assert properties relative to 
derivations of a clause with the help of an additional singleton clause. The fol- 
lowing lemma generalises this to a finite number of singleton clauses, but requires 
that the singleton clauses be propositional. This allows us to harness the fact that 
propositional literals are only inconsistent with their negation, which is enough 
to establish the hypotheses of the form G(C) where C C D is a sub-clause of a 
propositional clause D. 


Lemma 24. Let be a modal resolution calculus with compatible inconsistency 
predicate. Moreover, suppose that C is a set of global clauses, l,,...,ln are propo- 
sitional literals and D is a (local) clause such that l; € D for alli = 1,...,n, 
and CU {h,..., ln} F D. Then there is a sub-clause Eg C aly V +++ V aln such 
that C - EV D. 


Proof. By induction on the number n of literals, where n = 0 is evident. If 
CU{li,...,ln41} D, we have that CU{l,,...,l,} F Eg V D where {e,ln41} € P, 
for all e € Eo. This implies that either Eg = e or Eg = ~ln+1. The claim follows 
by applying the inductive hypothesis. 


The above lemma fails without assuming that the /; are propositional literals, 
as illustrated by the example at the beginning of this section. 

In the proof of the truth lemma, we need to show derivability of premisses 
(of modal rules) based on the truth set of formulae in maximally consistent sets. 
The following corollary establishes this for local clauses, which we will then lift 
to global derivability. 


Corollary 25. Consider a modal resolution calculus with a compatible incon- 
sistency predicate, and let C be a set of global clauses, and let D = li V -++ Vln be 
a propositional clause such that all maximally consistent local extensions M of 
C contain at least one l; (i =1,...,n). Then there exists a sub-clause Do C D 
such that CF Do. 


The next property is obviously present in the calculus RE and its extensions. 


Definition 26. A modal resolution calculus has the global lifting property if, 
for any set C of global clauses, and a local clause D, we have that C  G(D) 
whenever C F D. 


For our calculi, this essentially means that rules with a global clause as a con- 
clusion only have global clauses as premisses. 


Lemma 27. The calculus RESg, as well as all other calculi discussed in this 
paper, has the global lifting property. 


We finally turn to canonical models, where we isolate the construction that is 
identical for all of the logics that we treat here. 


Definition 28 (Canonical Model). Let C be a set of global clauses. The 
C-canonical model, or the canonical model based on C, is the triple (W, N, 0) 
where 
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— W is the set of all maximally consistent local extensions of C 
- Op) = {M eW|pe Mj 
- N(M) = {0(p) | Op e Mj. 


Here, consistent and maximally consistent refers to consistency in the modal 
resolution calculus RESg for classical modal logic. 


'This gives the truth lemma for classical modal logic. 


Lemma 29 (Truth Lemma). For the calculus RE, let (W, N,0) be the C- 
canonical model for some set C of global clauses. Then, for M EW, MET 
whenever I' € M, for all local clauses I’. 


Proof. By disjunction completeness, it suffices to show the claim for singleton 
clauses. The propositional cases and Op € M are easy. For the only interesting 
case assume —^Up € M, and assume for a contradiction that 0(p) € N(M). By 
construction, there must be a variable q € V with Og € M and 6(p) = 6(q). 
That is p€ M' « q € M' for all maximally consistent local extensions M" 
of C. By Corollary 25 and Lemma 27 we obtain the premisses of the modal rule 
that proves M F e, contradiction. 


Remark 30. In the proof of the truth lemma, the modal rule was only used in 
a very specific form, i.e. D — D' — e in definition of the modal rule. The more 
general form of the rule is needed to establish Lemma 18. The reader is also 
invited to convince themselves that completeness fails without the more general 
form, for example to show that C = (G(^p V q),G(^q V p), G(^q V r), G(^r V 
q),^üp V ^Uq, Or} is inconsistent. 

We have used the rule GRES in the proof of Lemma 18. The rule GERES 
is hidden in the proof of Lemma 27. The reader is invited to convince them- 
selves that GERES is needed to show the inconsistency of {G(=p V q V Or), G(pV 


^q), G(^ 8), G(s), G(r), G(^ q)}- 


Corollary 31. Let C be a set of local or global clauses. If C is unsatisfiable in 
the class of neighbourhood models, then C F e. 


4.1 Monotone Modal Logic 


To show completeness for the resolution calculus for monotone modal logic, we 
follow the same approach, and start with a compatible inconsistency predicate. 


Lemma 32. Lett be the calculus for monotone modal logic and let C be a set 
of global clauses. Then the set Py; containing 


- the set (1, ^l) for every (propositional or modal) literal l € Lit(V), and 
- the set (Dp, Og} for every pair p,q € V of propositions such that C H G(C) 
for a sub-clauses C C ^p V q. 


is a compatible inconsistency predicate for - and C. 
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The proof is very similar to that of classical modal logic (Lemma 15 and Lemma 
18). The canonical model construction is an adaptation of the construction for E 
where the construction ensures that the set of neighbourhoods is upward closed. 


Definition 33. Let C be a set of global clauses. The C-canonical model for the 
calculus RESgy is the triple (W, N, 0) where W and 0 are the same as for classical 
modal logic (Definition 28) and the neighbourhood function N is defined by 


N(M) = {a € W | 0(p) € a for some Op € M). 


where M € W is a maximally consistent, local extension of C. 


It is obvious that canonical models for RESgw are monotone by construction, 
but we need to re-establish the truth lemma for the calculus RESgw as the 
construction of the model has changed. 


Lemma 34 (Truth Lemma for EM). For the calculus RESgw, let (W, N, 0) 
be the C-canonical model for some set C of global clauses. Then, for M € W, 
M E I' whenever I € M, for all local clauses T. 


The proof is in fact a simplification of the corresponding proof for classical modal 
logic, and we obtain completeness similar to Corollary 31. 


Corollary 35. Monotone modal logic is complete, i.e. any consistent set C of 
local or global clauses satisfies C F e whenever C is unsatisfiable in the class of 
monotone neighbourhood models. 


4.2 Logics with Unit 


We now adapt the construction to also incorporate logics with unit, i.e. the modal 
logics EN and EMN that — in addition to the frame conditions for E and EM - 
additionally require that the entire set of worlds is always a neighbourhood of any 
world. To show completeness for these logics, we need to provide a compatible 
inconsistency relation, which — in contrast to the logics E and EM - will no 
longer be binary. 


Lemma 36. Let - be the calculus RESgw (resp. RESgwmN) and let C be a set 
of global clauses. Let U = {7=0p | C F G(p)). Then the set P UU is compatible 
inconsistency predicate fort and C, where P is the inconsistency relation for the 
calculus RESg (resp. RESgwJ. 


Proof. The inconsistency requirement follows as the predicate closely resembles 
the modal rules of the calculus. To see cut closure, suppose that {=Op} and 
{=0q, Op} € PU U. Then the premisses that derive inconsistency of both sets 
can be combined to derive inconsistency of the cut (208). For compatibility, we 
additionally need to consider the case n — 0 from Example 17, and extend the 
inductive proof of Lemma 18, where LNRES as last applied rule precisely induces 
this case. 
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This allows us to show completeness, again with a slight variation of the canonical 
model construction. The definition of the canonical model just adds the entire 
set of worlds to all neighbourhoods. 


Definition 37. The canonical model for the logic EN and EMN is the triple 
(W, N,0) where W and N are as for the logic E (or EM) and N(w) = No(w)U 
{W}, where No is the neighbourhood function of the canonical model for the 
logic E (resp. EM). 


The truth lemma follows as before, where we apply the rule LNRES to show 
inconsistency in case W € N(0). 


Lemma 38 (Truth Lemma for EN and EMN). Let (W, N,0) be the canon- 
ical model for the logic EN or EMN, respectively, over a set C of global clauses. 
Then, for M €W, MET whenever I € M, for all local clauses I. 


Proof. In addition to the cases for E and EM, consider, for a contradiction, that 
-0p € M and M H Op where 0(p) = W. In this case, C - G(p) whence M F e, 
contradicting consistency of M using LNRES. 


Completeness for EN and EMN follows as before. 


Corollary 39. The calculi RESgv and RESgww are complete, i.e. C H € when- 
ever C is inconsistent, for any set C of global clauses. 


4.3 Logics with Aggregation 


We now turn to completeness for logics that additionally satisfy aggregation, 
ie. the axiom C from Table1. Our proof strategy is entirely similar to that of 
the previous cases, and we start with a compatible inconsistency relation. The 
format of the LCRES-rules is precisely chosen for the inconsistency relation below 
to be closed under cut which necessitates to generalise the C-axiom from binary 
conjunctions to arbitrary finite conjunctions. 


Lemma 40. Let P be the inconsistency relation for the calculi RESg, RESgw, 
RESEN or RESEMN;, and let 


U ={{-Opo, Op1,..-, Opn} | C F G(C;) for i =0,...,n and clauses 
Co C —po V p1 V +++ V pa, Ci € —po V pi fori — 1,...,nj. 


Then PUU is a compatible inconsistency relation for a set C of global clauses 
and the calculus RESgc, RESguc, RESgcw or RESEmen, respectively. 


'The proof is as before, noting that the inconsistency predicate is again modelled 
on the shape of the modal rules. The canonical model now takes the following 
form, where we distinguish between the different logics. 
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Definition 41. Let C be a set of global clauses. The canonical model for C and 
the logics EC, ECN, EMC or EMCN, respectively, is the triple (W, N, 6) 
where W and 0 are as before (Definition 28) and N is given by 


Ngc(M) = {0(p1) A: (pn) | Bpi,..., Op. € M} for EC 
NgcN( M) = Ngc(M) UW for ECN 
Nemc(M) ^ (a € W | 8 Ca for some 8 € Nec(M)} for EMC 

Nemcn(M) = Nemc(M) U {Ww} for EMCN 


for a maximally consistent local extension M € W of C. 
As before, we have a truth lemma that gives completeness. 


Lemma 42. Let RES be one of RESgc, RESgcw, RESEmc or RESEMCN;, let 
(W, N,0) be the canonical model for RES, and let C be a set of global clauses. 
Then M = D whenever D € M, for all local clauses D and all maximally 
RES-consistent local extensions M of C. 


Proof. The interesting case here is EC as the others are extensions of EC that 
we have previously discussed. Again, we just consider -Op € M and assume 
for a contradiction that M = Op. Then there are p1,...,p,4 such that 0(p) = 
0(p1) O+- N 0(p,) and Opi,..., Opn € M. From the former we conclude the 
premiss of LCRES1 or LCRES2 depending on the sub-clauses we derive through 
Corollary 25 and arrive at a contradiction to the consistency of M. 


Completeness now follows as in the other cases we have discussed before. 


Corollary 43 (Completeness). The calculi RESgc, RESgcw, RESgwc and 
RESgwcw are complete with respect to the classes of models £C, ECN, EMC 
and EMCN, respectively. 


5 Conclusion and Future Work 


We have presented the first resolution calculi for the cube of classical non-normal 
modal logics. The calculi manipulate sets of modal clauses of a very simple form. 
Their completeness is based on the notion of inconsistency predicate. Moreover, 
we have seen that resolution calculi appear to be modular, i.e. rules can just be 
combined to obtain a stronger calculus. Is this a coincidence? Are there general 
principles that enable this compositionality? This is what we are going to explore 
in a follow up paper. Also, the shape of our calculi, i.e. the modal resolution 
rules, when compared to the Hilbert axioms, insinuate that there might be a 
more principled way of synthesising resolution systems from Hilbert axioms. We 
aim to investigate this as a next step. 
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Abstract. In this paper we investigate the Curry-Howard correspon- 
dence for constructive modal logic in light of the gap between the proof 
equivalences enforced by the lambda calculi from the literature and by 
the recently defined winning strategies for this logic. 

We define a new lambda-calculus for a minimal constructive modal 
logic by enriching the calculus from the literature with additional reduc- 
tion rules and we prove normalization and confluence for our calculus. 
We then provide a typing system in the style of focused proof systems 
allowing us to provide a unique proof for each term in normal form, and 
we use this result to show a one-to-one correspondence between terms in 
normal form and winning innocent strategies. 


Keywords: Constructive Modal Logic - Lambda Calculus - Game 
Semantics 


1 Introduction 


Proof theory is the branch of mathematical logic whose aim is studying the 
properties of logical arguments (i.e., proofs) as well as the structure of proofs 
and their invariants. For this purpose, the most used representations of proofs 
are based on tree-like data structures inductively defined using inference rules 
of a proof system.! Natural deduction and sequent calculus are among the most 
used proof systems due to their intuitive representation. Both these proof systems 
were originally devised by Gentzen in order to prove the consistency of first-order 
arithmetic. Their versatility resulted in their employment for a wide variety of 
logics. 


The first author is supported by Villum Fonden, grant no. 50079. The second author 
is supported by the PRIN project RIPER (No. 20203FFYLK) The third author is 
supported by the US Air Force Office for Scientific Research under award number 
FA9550-21-1-0007. 

' Tt is worth noting that some proof systems (in the sense of [13]) allows to represent 
proofs using structures such as infinite trees (for non-well-founded proof systems, see, 
e.g., [16]), graphs (see proof nets [23,24], combinatorial proofs [28] or proof diagrams 
[3]) or structures defined in a compositional way (see open deduction [25] and deep 
inference [51]). 
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However, having formalisms able to represent proofs is not enough to define 
“what is a proof” since different derivations, or derivations in different proof 
systems, could represent the same abstract object. A notion of proof identity is 
therefore required to define a proof as a proper mathematical entity [19]. Such 
a notion of identity is provided by delineating the conditions under which two 
distinct formal representations of a proof represent the same logical argument. 
The definition of these conditions are often driven by semantic considerations (by 
performing specific transformations on two derivations, they can be transformed 
to the same object) or intuitive ones (two derivations only differ for the order in 
which the same rules are applied to the same formulas). 

Natural deduction is often considered a satisfactory formalism since it allows 
to define a more canonical representation of proofs with respect to sequent calcu- 
lus: sequent calculus derivations differing because of some rules permutations are 
represented (via a standard translation) by the same natural deduction deriva- 
tion. Moreover, natural deduction provides a one-to-one correspondence between 
derivations and lambda-terms, called the Curry-Howard correspondence |49]. 


Constructive Modal Logic. Classical modal logics are obtained by extending 
classical logic with unary operators, called modalities, that qualify the truth of a 
judgment. The most used modalities are the [O (called box) and its dual opera- 
tor Ô (called diamond) which are usually interpreted as necessity and possibility. 
According to the interpretation of such modalities, modal logics find applications, 
for example, in knowledge representation [52], artificial intelligence [41] and the 
formal verification of computer programs [20,37,46]. The work of Fitch [22] initi- 
ated the investigation of the proof theory of modal logics extending intuitionistic 
logic, leading to numerous results on the topic [21,27,36, 40,47]. 

In particular, the Curry-Howard correspondence has been extended to various 
constructive modal logics [7, 10,17, 32, 33, 45]. Intuitionistic logic can be extended 
with modalities in different ways (for an overview see [48]): while in classical 
logic axioms involving only O provide also description of the behavior of Q, 
for intuitionistic logic this is no more the case since the duality of the two 
modalities does not hold anymore. This leads to different approaches. Construc- 
tive modal logics consider minimal sets of axioms to guarantee the definition 
of the behaviors of the O and 4 modalities. A second approach, referred to as 
intuitionistic modal logic, considers additional axioms in order to validate the 
Gódel-Gentzen translation [15]. In this work we consider a minimal fragment 
of the constructive modal logic CK only containing the implication — and the 
modality Ll. This fragment is enough to define types for a A-calculus with a 
Let constructor [7] which can be interpreted as an explicit substitution and, for 
this reason, we more concisely denote by N [Mi,... M, /z4,..., v; ]g instead of 
Let Mi,... Mn be z1,..., £n in N. 

Recent works on the the proof equivalence of constructive modal logics [6] 
expose a complexity gap between the proof equivalences induced by the natural 
deduction [10] and winning innocent strategies [5] for this logic. This discrepancy 
cannot be observed in intuitionistic propositional logic where there are one-to- 
one correspondences between natural deduction derivations, lambda terms and 
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innocent winning strategies. In particular, in the logic CK we observe sequent 
calculus proofs which correspond to the same winning strategy but which can- 
not be represented by the same natural deduction derivation in the systems 
provided in [10,32] (or equivalently corresponding to different modal A-terms). 
By means of example, consider the terms x [z/x]g and x [z, w/z, y]g and their 
(unique) typing derivations shown in Fig.1 (see Fig.3 for the typing system). 
Intuitively, the two terms r|[z/z]g and zr |[z,w/x,y|g should be semantically 


ld ld 
z:Da,w:übrz:tüa x:ay:brx:a 
O-subst 
z:Oa,w:Ob+t x[z/x]a : Oa 
Id ld ld 


z:BHa,w:Dbrz:üua z:Oa,w:Ob+w:ob x:ay:brx:a 


o-subst 
z:Oa,w:Obt x[z,w/x,y],_ : Oa 


Fig. 1. The typing derivations of the modal A-terms z [z/z]g and x [z, w/z, y]g. 


equivalent since the explicit substitution of the variable y in the term x is vac- 
uous. Said differently, if we explicit the substitution encoded by the constructor 
Let, both terms z [z/z]|g and z [z, w/z, y]g should reduce to the term z. 

In fact, this undesirable behavior disappear when considering the Winning 
Innocent Strategies for CK defined in [5]. In this syntax, both the above natural 
deduction derivations correspond to the same strategy below. 


o o H 
S= {e,a°,a°a°} overthearena [[Da,0b+ 0a] = $ $ 
b a a (1) 


Contribution. In this paper we define a new modal A-calculus for CK by con- 
sidering additional rewriting rules that allow us to retrieve a one-to-one corre- 
spondence between terms in normal form and winning innocent strategies, that 
is, providing more canonical representatives for proofs with respect to natu- 
ral deduction and modal A-terms defined in the literature. From the technical 
point-of-view, we obtain this result by extending the operational semantics of 
the modal A-calculus with the appropriate new reduction rules for the explicit 
substitution encoded by the Let, dealing with contraction and weakening oper- 
ating on the variables bound by the Let. We call this set of rules the &-reduction, 
which we show to be strongly normalizing using elementary combinatorial meth- 
ods. In order to deal with the interaction of the r-reduction with G-reduction, 
we define a restricted 7-reduction following an approach similar to the one used 
in [18,31,43]. We prove strong normalization and confluence for our new opera- 
tional semantics. 

After proving confluence and strong normalization for our modal A-calculus, 
we provide a canonical typing system inspired by focused sequent calculi (see, 
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e.g., [8]) providing a unique typing derivation for each term in normal form. 
We conclude by establishing a one-to-one correspondence between the winning 
strategies defined in [5] and proofs of this calculi, therefore with terms in normal 
form. 


Related Work. To the best of our knowledge, the first paper proposing a 
Curry-Howard correspondence for the logic CK is [10]. In this work, the authors 
provide a natural deduction system for the logic CK by enriching the standard 
system for intuitionistic propositional logic with a generalized elimination rule 
capable of taking into account the behavior of the L-modality. At the level of 
lambda calculus, they enrich the syntax of terms by adding a new constructor 
Let defined as follows: 


Leta1,...% be Ni,..., Nuin M (which we denote M [Ni,..., Ns /21,.... nlm) (2) 


providing a notation which can be interpreted as an explicit substitution of the 
variable x; with the term N; for all occurrences of z,...,z, inside a term M. 
For this calculus, the authors only consider the usual 7 and reductions plus 
the following reduction: 


Let y be P in (Let x be N in M) ~ Let x be (Let y be P in N) in (Let z be z in M) 
(in our syntax this reduction is written as M [N/z]m [P/vy] ^ M [v/z]m [N [P/v]m /x]g) 


In [32] the author considers the usual 7 and 8 reduction with an the fol- 
lowing additional (-reduction rule specifically designed to handle the explicit 
substitution construct. 

M|P,R[N/2] p Q/2, vE] ~o M (Y (P.N, Q2, 2,9]. 8 
In the same paper, the author provides a detailed proof of strong normalization 
and confluence for modal lambda terms with respect to the standard 7 and 
B reduction, plus this new ( reduction. However, also this calculus does not 
manage to fix the aforementioned problem with canonicity. 

An alternative natural deduction system (and A-calculus) is proposed in [33], 
where the symmetry between elimination and introduction rules typical of nat- 
ural deduction is restored. However, this result requires to define a sequent cal- 
culus where sequents have a more complex structure (dual-contexts), and lacks 
an in-depth study of the operational semantics because the 7-expansion is not 
considered in the calculus. 


Outline of the Paper. In Sect. 2 we recall the definition of the fragment of the 
logic CK we consider in this paper, as well as the main results on the proof theory 
for this logic, its natural deduction and lambda calculus. In Sect. 3 we define the 
modal A-calculus we consider in this paper, proving its strong normalization 
and confluence properties. In Sect. 4 we provide a typing system in the style of 
focused sequent calculi, where we are able to narrow the proof search of the 
type assignment of our normal terms to a single derivation. In Sect. 5 we recall 
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the definition of the game semantics for the logic we consider and we prove the 
one-to-one correspondence between terms in normal form and winning strategies. 

For reason of space, we omit in the paper the proofs of those technical lemmas 
that are not particularly interesting (mostly by induction and case analysis). 
These proofs can be found in the extended version of this paper [4]. 


2 Preliminaries 


In this section we recall the definition of the (fragment of the) constructive 
modal logic CK we consider in this paper, and we recall the definition and some 
terminology for modal A-terms. We are interested in a minimal constructive 
modal logic whose formulas are defined from a countable set of propositional 
variables 4 = {a,b,c,...} using the following grammar: 


A:=a|(A—A)|OA (4) 

We say that a formula is modality-free if it contains no occurrences of the 
modality Ll. A formula is a —-formula if it is of the form A — B. In the 
following we use Krivine's convention [38] and write (Aj,...,An) > C as a 
shortcut for (A1 > (--- — (A, — C)---)) A sequent is an expression T - C 
where T is a finite (possibly empty) list of formulas and C is a formula. If 
I = Aij,..., An and o a permutation over (1,...,n), then we may write o(17) 


to denote Ac(1); Ls OL 

In this paper we consider the logic CK defined by extending the conjunction- 
free and disjunction-free fragment of intuitionistic propositional logic with the 
modality O whose behavior is defined by the necessitation rule and the axiom 
Kı below. 


Nec — if A is provable, then also OA is Kı = O(A > B) > (OA UB) 


The sequent calculus SCK, whose rules are provided in Fig. 2, is a sound and 
complete proof system for the logic CK. This system have been extracted from 
the one presented in [39] and satisfies cut-elimination. 


2.1 A Lambda Calculus for CK 


The set of (untyped) modal A-terms is defined inductively from a countable set 
of variables V = {x,y,...} using the following grammar: 


M,N :=«|dc.M|(MN)|M [Nz] aore I Oe ee terme And 

E T = T1,... Zn is a list of distinct variables. 
modulo the standard a-equivalence (denoted =,, see [9]) and modulo the equiv- 
alence generated by the following permutations (for any c permutation over the 
set {1,...,n}) over the order of substitutions in the [./-]|g constructor: 


[N] a = [M,.. o Na Tyr Calw = [Nc();- . a Nal Toir x Jom = [oN /o(Z)] 


for any ø permutation over {1,...,n}. 
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Tee R DAFC ra B,A- C 
X X > > 
“ata of)+C  FrAoC FAA >BLC 


Ita Irc T,A, A+ C I-A A,ArFC 


KB Ww Cc cut 
re T,A} C T,A} C T,A + C 


Fig. 2. Sequent calculus rules of the sequent system SCK, where ø is a permutation 
over {1,...,n} 


I,x:A- M:C r-N:A FrM:A>C 
ld ie(1,...,n) Abs App 
Xp 1À.,X2 : An F Xi: Aj Ir AxM:AC r -MN:C 
rN: 1o [D Na: 0A, X: Ai, Xn AF MC 
D-subst X1... Xn do not occur in T 


T+ MIN... Nf Xy... Xd : OC 


Fig.3. Typing rules in the natural deduction system NDcx for modal A-terms. 


As usual, application associates to the left, and has higher precedence than 
abstraction. For example, Azyz.ryz :— Ax.(Ag.(Az.((xy)2))). A modal A-term is 


a (explicit) substitution if it is of the form M [N/2] EL application if of the 


form MN, and a A-abstraction if of the form Ax. M. 
The set of subterms of a term M (denoted SUB(M)) is defined as follows: 


Sub(r) = {a} , Sub(Ar.M) = Sub(M)U (Ax.M) , Sub(MN) —Sub(M)USub(N)U(MN], 
Sub(M [Ni,...,Nn/21,---;2n}g) = Sub(M)U (US " Sub(N;)) UM [N,, ..., Na /21,..., 2na} - 


ED 


Its length | M| and its set of free variables FV(M) are defined as: 


0 ifM-r {x} iM-r 

[IN| +1 if M — AN FV(N)\{z} if M —AxN 
|M| = : E FV(M) — : = 

max(|N |. |P|] 4- 1 if M = NP FV(N)UFV(P) if M@=NP 


max{|N],|Pi|,...,|Pal} +1 it M — N [P7]. U; FV(P;) if M =N [P/a 
We denote |M|, the number of the occurrences of the free variable x in a term 
M and we may write |M|, = 0 if x € FV(M) and we say that a term M 
is linear in the variables z1,...,25 if |M|;, = 1 for all i € {1,...,n}. We 
denote by M (N1,..., N,/21,..., £n } the result of the standard capture avoiding 
substitution of the occurrences of the variable z;,...,r, in M with the term 
N3,..., Nn respectively (see, e.g., [50]). 

A variable declaration is an expression x: A where z is a variable and A is a 
type, that is, a formula as defined in Equation (4). A (typing) context is a finite 
list I := z4 : A1,..., £n : An of distinct variable declarations. Given a context 
I = tı : Aj,...,%n : An, we say that a variable x appears in I’ if x = x; fora 
i € {1,...,n} and we denote by I,y : B the context xı : Ai,...,%:An,y: B 
implicitly assuming that y does not appear in I’. A type assignment is an expres- 
sion of the form T - M : A where I is a context, M a modal A-term and Aa 


type. 
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Definition 1. Let I' - M : A be an type assignment. A typing derivation (or 
derivation for short) of I' - M : A in NDcx is a finite tree of type assignment 
constructed using the rules in Fig. 3 in such a way it has root I' - M : A and 
each leaf is the conclusion of a Id-rule. A type assignment is derivable (in NDcx ) 
if there is a derivation with conclusion the given type assignment. 

We denote by A (resp. by AW and A?) the set of modal A-terms (resp. the set 
of substitutions and A-abstractions in A) admitting a derivable type assignment 


in NDcx. 


3 A New Modal Lambda Calculus 


In this section we define a new modal lambda calculus by enriching the opera- 
tional semantics of the previous calculi with additional reduction rules aiming at 
recovering canonicity, proving confluence and strong normalization properties. 
To define our term rewriting rules, we require special care when they are 
applied in a proper sub-term. This is due to the fact that the explicit substitution 
encoded by [./.]g could capture free variables. For this reason, we introduce 
the notion of term with a hole as a term of the form C [o] containing a single 
occurrence of a special variable o. More precisely, the set CwH of terms with a 
hole and the two sets CwH,, and CwH,, of specific terms with a hole are defined 
by the following grammars: 
CwH : Cfo] 2 o | Az.C [o] | MC [o] | C[o] M | Clo] [M/Z] | M [s.c [o], 3/2, x, E 
CwH,, : E [o] := o | Az.E[o] | ME [o] | E' [o] M | E [o] [4/2] | M [Ni E, Na/ 21,2, 29] a 
CwH;, : D [o] :- o | Ax-D [o] | MD [o] | D [o] M | D [o] [m/z] 4M [NiD [o], No/ #1, 2, Pola 
with E’ [o] Z [o] Z D’ [o] 


We denote by C[M] the term obtained by replacing the hole o in C [o] with 
the term M. By means of example, if C [o] = o then C [M] = M and if E [o] = 
(Az.z.N) [o/a]g then E[M] = (Az.zN) [M/z|g. The reduction relations of our 
calculus are provided in Fig. 4, where the ground steps and the rules for extending 
them to specific contexts are provided. 


Remark 1. The term constructor Let (i.e., [-/-]g from Equation (2)) plays no role 
in the standard 7 and 8 reduction rules from the literature, where it behaves 
as a black-box during reduction. The inertness of this constructor with respect 
to normalization is indeed what makes the lambda calculus in [10,32] unable to 
identify terms whose expected behavior is the same as, for example, the following 
pairs of terms: 


r|v/x]a and z[v,w/z,vy]m | zyz|v,v/y,z]g and zyy[v/y]m 
(5) 
Our operational semantics extends the one provided in [32]. The novelty of 
our approach is the definition of the «-reduction and the restriction of the n- 
reduction. The former is needed to being able to identify modal A-terms with the 
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Ground Steps: 
(Ax.M)N ^g, M{N/x} 
M[P,R[N/Z]_, Q/ 3.» W], s MIR/y}[P,N, O/2, 2, v]. 
M v^, Ax.Mx iffM:A—>B, x¢FV(M)andM ¢ A^ 
M vo, x [MI x]a ifr + M : DOA, x € FV(M) and M ¢ A" 
M|P.N,G/%,y, | a M[P,G/%, Z|, if Ml, =0 
M[P.N.N, QJ yi y» Z| s Mv v/y1,92}[ PN, O/ X. v. 2]. 


Reduction Steps in Contexts: 


with v fresh 


M vog, N M w N M vog N M vo. N 
CIM] ~~, CIN] ^ CM] w CIN] E[M] , E[N] D[M] v», DIN] 
with C[o] € CwH and E [o] € CwH,, and D [o] € CwH,, 


Fig. 4. Definition of the ground steps of the reduction relations, and the rules for their 
extension to terms with holes. 


same expected computational meaning, as the ones in Eq. (5). The latter is care- 
fully defined to avoid 7-redexes that would make the reduction non-terminating, 
using a well-known technique in term rewriting theory (see, e.g., [31,43]). 

The need of these restrictions can be observed in the two following (unre- 
stricted) r-reduction chains, which are both forbidden by our restricted rule from 
Fig. 4. 


M ^ Ax. Mz ~y Ax.(Ay.My)z 9 ... and M ~n x [M/z]w >n x [vy [M/v]m /v]g ~n 
whenever P+ M: A B whenever [+ M : OA 


Moreover, our definition rules out interactions between the 7 and 8 reductions 
which could lead to infinite chains, as the ones shown below. 


Ar.M ~y  Ay.(Ax.M)y ~g Ay.(M {z/y})=a Av. M or 
v [M /o]w ~n t[y[M/ylm/tly ^5 — v[M/yjg | —or|M/v]m 


Definition 2. We define the following reduction relations: 
B= U ~n pag Ug 9 Bnn=~ BU U m (6) 


For any € € (0,n, K, Bn, BK, Bnk}, we denote by wt its transitive closure, by 
~g its reflexive closure, by ~¢ its reflexive and transitive closure, and by =¢ 
the equivalence relation it enforces over terms, that is, its reflexive, symmetric 
and transitive closure. Given a term M, we denote by nf¢(M) the set of its 
~e-normal form. A term M is strongly normalizable for ~¢ if it admits no 
infinite ~»¢-chains A reduction ~e is strongly normalizing if every term M is 
strongly normalizable for it. A reduction ^g is confluent if given M ^£ Ni and 
M ^n No there exists a term N such that Ni nu^ N and No m" N. 
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The substitution lemma and subject reduction theorem holds for the reduction 


Bnk: 


Lemma 1. /Substitution Lemma] Let T,x: BL M : C and I' - N : B be 
derivable type assignments. Then T,x : BL M(N/z] : C is a derivable type 
assignment. 


Theorem 1. Let l'F- M : C be derivable. If M ^g N, then TF N : C. 


Proof. Because of Lemma 1, it suffices to check the cases when M reduces to N 
in one ground step of ^55: 


— if M ~~g, N, then M = (Ax.P)Q and N = P {Q/x}. The case where M ~g, 
N uses a similar argument. The result follows the fact that if 7, z: BF M:C 
and I'F- N : B are derivable type assignment, then 7, : BEL M(N/z) :C 
by Lemma 1. 

— if M ^, N, then C = A — B and N = Az.Mz. The result follows by 
applying the rule Abs. The case where M ~p, N uses a similar argument; 
-if M - Ni, then M = M’[P,...,Px,N,Prat,---,Pn/t1,---; 
TXkQTZkq41, ..,CTa]m such that x is not free in M, C = OB, and N, = 
M' be Q/3, 7|. Then there are derivations for I' + P; : Aj for all 


i € {1,...,n} (for some A;) and a derivation for xı : Aj,...,zy : Åk, T : 
A,Upi1 : Åk+1:--;Zn : An F M" : B. Therefore we have a derivation for 
a1: 3,..., Zn : Ån F M' : B since weakening is admissible (that is, whenever 
T,x: A} M :C is derivable and x does not occur free in M, then FA M: C 
is also derivable?. Then we have a derivation of [+ N : C with bottom-most 
rule a L-subst with right-most premise xı : A1,...,24 : An F M' : B. and a 
premise I H P; : A; for each i € (1,..., n); 

— if M ~k, Ni, then we conclude similarly to the previous point since we have 


=> cd. x — => x x 
m=m [Posi QI vv 2) and Ny M ohio |P, v O/T, v 2 : 


We can prove local confluence of ^»5,,, by case analysis of the critical pairs 
using the following lemma. 


Lemma 2. Let P, P' and Q modal A-terms. If P ~ gn, P', then P(Q/xj m 
P'{Q/x}. Moreover, there is a Ng such that Q{P/x} ~b No and 
Q(P'/z) SH de Na. 


Proposition 1. The reduction ~ gn, is locally confluent. 


NK 


Proof. We show that if there are M, Nj, and No with Ni Æ Nə such that 
M ^g, Ni and M ~pe No, then there exists N such that Ni Sane N 
and 3, N. Without loss of generality we have the following cases: 


? The admissibility of weakening is easily proven by induction on the size of a deriva- 
tion. 
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. if M ~p, Nı with M = (Az.P)Q and Nı = P {Q/x}, then N» can only be 
obtained by applying ^55, the subterms P and Q of M. We conclude by 


Lemma 2; 
= 


GEM a, Ni with M = M' [P.R 872]. ,Q/2,y, 8 and with 


z] r then Nə must be a term obtained by 


— 


N, = M'{R/y} [P,N,O/2, 7, 
applying ~g,,, on R or on one of the terms in P, N or Q . We conclude again 
by Lemma 2; 

. if M~,, M, then 2b M : A — B and N, = Ax. Mx. Therefore, for any N2 


such that M -»g,4 N2 we have that I' E Nə : A — B (by subject reduction). 


Then 


— either Nə is not an abstraction and we conclude by letting N = Az.Noz. 
— otherwise N5 = Ay. M' and we conclude since Ni ^», Av.Nox ^», No. 


-if M ~p Nı with FM: 


A and Nı = «[M/z]g, then we conclude with a 


similar argument with respect to the previous point by letting N = x [No/z]q 


N, =M’ iP, 6/2 


. if M ~», Nj, then either M = M’ [P. N, 0/2, x, 7| reduces via ^», to 
L| 
j|: or M = M' [P, N,N, Q/2, vivo, z7|. reduces via 


~ra to Ny = M {y,y/y1, yo} [5 N, Q/3, y, z] = In both cases we conclude 


with an argument similar to the one in Case (2). 


In order to prove the termination of ~»g,,,, we define the following measures. 


Definition 3. Let M be a modal A-term. We define the following multisets of 


derivable type assignments: 


Est, (V 
Esto deas 


—(B—C|P €Sub(M)N A? such that M # PQ and + P: B C) 
{ B | P € Sub(M)V AB such that M £Q [MPN No/Z1,2, LH and EP: 


5j 


We then define ||M ||, = || MI} + || M|} with 


MIL: SD AIR end mye SD AIP 
ACEst; (M) ACEsto (M) 
lali =0 A BI} = [aij «| BIL-ei IDAJ} = |Ap: 
h T T 
wee — Wo [A> B= A+ IBI Ale = AR +1 


We also define ||M||,, as the size of su 


lr]. — 0 — [AeM][, = ||M 
|M [Ni, oe INR /2,. oe 


Example 1. Intuitively, the measure | 


| 


Trla ls = M Ds + IN Ile 


bstitution subterms of M as follows: 


| MN. = M] + ENT 


+n 


- ||) does not take into account all the 


subterms of M, but only the ones on which we can apply the restricted ~>}. 
For an example, consider the modal A-term M = (Az*~*.z)y with ||M||,, = 3 
because all four subterms of M are of type a —-formula, but the subterm Az.z 
is an abstraction, therefore no ~,, can be applied on it. If M ~, N, because of 


the restrictions on ^», we have that 
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— either N = (Az.z)(Av.yv) with ||N||,, = 2 because no ^», can be applied to 
the subterms y and Az.z (they occur on the left of an application) or Av.yv 
(it is an abstraction), but only to the subterms z and the whole term N; 

- or N = Av*.((Az.z)y)v with || N| = 2 because ~,, can only be applied to 
the subterms z and y. 


Lemma 3. Let M and N be modal A-terms. If M ~~, N, either |N ||, < ||M ||; 
or there is N' such that N ^, N' and ||N'||, < ||M ||,. 


Lemma 4. The following commutations between ^3, ^, and ^, hold: 


- if M ^ N ~g N', then there is M' such that M ~g3 M' and M' ~¥ N' ; 
- if M ~n N ~x N', then there is M' such that M ^, M' and M' ~»7 N' ; 
- if M ^g N ~,, N', then there is M' such that M ~>, M' and M' d N'. 


Theorem 2. The reduction relation ~gy, is strongly normalizing and conflu- 
ent. 


Proof. After Proposition 1, it suffices to prove that ^5; is strongly normalizing 
to conclude by Newman's lemma that -»5;, is also confluent. 

To prove strong normalization we use the fact that the reductions ^g, ~n 
and ^», are strongly normalizing: for ^g the proof can be found in [32], for ;, 
the proof is by induction on ||- ||} using Lemma 3, and for ^, it follows the fact 
that, by definition of || -||;, we have that ||/||,, > ||.N||; whenever M ~~», N. To 
conclude that ~+g,,, also is strongly normalizing, the standard result (see, e.g., 
[50]) in rewriting theory ensuring that given two strongly normalizing reduction 
relations ^»; and ~ə with ~+; confluent, if M ~»2 N implies the existence of 
a reduction nf; (M) ^j nf,(N) for any M and N, , then ^», U ~ is strongly 
normalizing. In our case, the fact that M ^^» N implies nf;(M) ~F nfi(N) isa 
corollary of Lemma 4. 


Definition 4. The set A is the set of modal A-terms defined inductively as fol- 
lows: 


— if x is a variable, Ti,..., Tn € A and there are derivations for the types 
assignments I' F z : (A1,..., A4) — C with C atomic and I' - T; : A; for all 
i € (1,..., n), then eT,---T, € A. Variables are the special case with n — 0; 

- ifT E€ A and there is a derivation of T,x: AH T : C, then Ax^.T € A; 

- if M € A, FVM) = (zxi,..., x4) and the type assignment zi : By,...,%n: 
By, - M : C is derivable, and if there are n distinct terms T,,...,Tn € A 
of the shape T; = yiUi ++- Uik, with U;; € A for alli € {1,...,n} and j € 
{1,..., ki), such that the type assignment T + T; : OB; is derivable for all 
Pellen then M 11, 15/252 245]. € A. 


Proposition 2. The set A is the set of modal A-terms in BnK-normal form 
nf gnx (A). 


Proof. By definition, every AC nf Bu CA) is ~gn,-normal. To prove the converse 
we proceed by induction on the structure of M € nfgy.(A): 
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— if M = z, then M € A by definition; 

- if M = àz.M' € nf a (A), then also M' € nf ann (A). By inductive hypothesis, 
this implies M’ € A. Therefore Az.M' € A; 

— if M = PQ € nfg,,(A), then both P and Q are in nfg,,,(A) and there is 
a derivable type assignment l - M : C, and derivable type assignments 
rH- P:A—C and P - Q: A. We have that no ~,-rule can be applied 
to C because M € nf,,(A); thus C must be atomic. We know that P cannot 
be in A` since M € nfg(A) and P cannot be in AM because P+ P: A > C 
is derivable. Then by inductive hypothesis we have that P = zT3,... T; for 
some T1,..., T, € A. We conclude that PQE yt 

-ifM=P Qi. o Qu/21,... Enla € nfas(A), then there is a derivable type 
assignment xı : B1,..., 24 : Bn F P : C and derivable type assignments I - 
Qi : OB; for all i € (1,..., n}. Since M € nfg, (A), then no ^»g,,-rule can 
be applied to M, nor to P; thus P € nfg,,,(A). Similarly, since M € nfa,,, (A4), 
then Q; ¢ A™ (otherwise we could apply ^92), Qi € nfg, (A) (since no gr- 
rule can be applied to Q;) and Q; cannot be in nf,(A) (because Q; : OB; 
and otherwise ^»,-steps could be applied on M) for all i € {1,...,n}. We 
conclude that M € A. 


r-M:C Rie Ageri Xni: Anr M:C 
ex * K 
Dx:crx:c c(I)F- M:C A,y, : OAy,..., Yn : BÀ, H M [xi, ..., Xn yi. Yala : OC 


a (Ty: Br Ni: Alien. $ Dx :A,..., Xn: Ant M:C 
T,y : (Aj,...,An NiNa: R 
Á Aro p md, ky i e "reaxt xb M : (Ay,...An) >C 
B 
. [T.A Tij: PES D.4,xi OB, xS OBy H M ossis Z [Yi o Yo Wla OC " 
: Tf Ay Ark) 2 OBi,..., Sn: (Anis sss Ank) > OB, + M[M,..-, Na Z[yy Yn» Wla soc.” 
ii c ARR a a a ca 
A 
x ‘= g permutation over (1,..., n} x = FV(M) = {x1,.. . Xn} and y,,..., Yn fresh 
§ := each N; = fiTj1 --- Tih fori € {1,...,n} T := I contains no formula of the shape (A; ---A,) > OB 


Fig. 5. Typing rules of the typing system CK". 


4 A Canonical Type System for CK 


In this section we present an alternative typing system for modal A-terms where 
each term in A admits exactly one typing derivation. The rules of this system (we 
call CK*) are provided in Fig. 5 and are conceived to reduce the non-determinism 
of the typing process, following the same approach used in designing focused 
sequent calculi [8, 12,42]. Derivations and derivability in CK* are defined analo- 
gously to Definition 1, using rules in CK" instead of rules in NDc«. We remark 
that the structural rules of weakening and contraction are admissible in the 
system. 

We can now prove a result of canonicity of CK* with respect to typing deriva- 
tions of modal A-terms in nfg,,, (A). 
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Theorem 3. Let T € A and T HT : A be a derivable type assignment. Then 
there is a unique (up to ex-rules) derivation of T - T : A in CKF. 


Proof. 'The proof of this theorem follows from the correspondence between the 
inductive definition of terms in A (Definition 4) and the shape of the typing rules 
of CK*. Details are provided the extended version of this paper [4]. 


5 Game Semantics for CK 


In this section we recall definitions and results on the winning innocent strategies 
for the logic CK defined in [5]. For this purpose, we first recall the construction 
extending Hyland-Ong arenas [29,44] for intuitionistic propositional formulas to 
represent formulas containing modalities, and then we recall the characterization 
of the winning innocent strategies representing proofs in CK. We conclude by 
proving the full-completeness result between for those strategies by showing a 
one-to-one correspondence between strategies for type assignments of terms in 
normal forms and their (unique) typing derivations in CKF. 


5.1 Arenas with Modalities 


We recall the definition of arenas with modalities from [5] extending the encoding 
of arenas from [26,30]. For this purpose, we assume the reader familiar with the 
definition of two-color directed graph (or 2-dag’s for short), i.e., directed acyclic 
graphs with two disjoint sets of directed edges — and ~ (details can be found 
in [5,26]). 


Definition 5. The arena of a formula F is the 2-dag |F] with vertices are 
labeled by elements in £ — AU (L1) inductively defined as follows: 


[J=o [A> B=]  [DnAp-n-[4 — (0) 


where a and L] denote the graphs consisting of a single vertex labeled by a and 
respectively, and where the binary operation — and ~> on 2-dag’s are defined 
as follows: 


GH = (Vg Vy , U (Reo Ra), ) and Gaps = (Veh Vu, 


GYH GHH = 
— " ve 


U (Rig ^ Ry) ) with 
V; Vn = {(vi,i) |i € {0,1} and vo € Vg and vi € Vy} and ((vi,i)) = (vi) 
~ = Losi, (wi, i)) | € {0,1} and (vo, wo) € A and (v1, w1) € A) for each œ € (5. ~} 


(g^ Rx) = { ((v, 0), (w, 1))|v € Bg we Bu) where Rx = (v € Vx | vw for no w€ Vx) 


The arena of a sequent A1,..., An F C is the arena A of [(A1,..., An) > C]. 


Remark 2. By construction, an arena G of a formula or a sequent I’ - C always 
admits a unique non [-labeled vertex in Rg, i.e., a unique vertex v with /(v) # 


such that there is no w € V; such that vw. 
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We draw 2-dag’s by representing a vertex v by its label (v). If v and w are 
vertices of an 2-dag, then we draw if v—w and if vw. By means of example, 
consider the arena below. 


[(a > 06 > (c > Od))) > ue > f] 


Remark 3. All arenas of the form (Acq), sai eli > C] have the same rep- 
resentation for any c permutation over [1,...,n]. More in general, it can 
be shown that the arena of any two equivalent formulas modulo Currying 
A — (B 5 C) ~ B = (A = C) can be depicted by the same arena. How- 
ever, whenever there may be ambiguity because of the presence of two vertices 
with the same label, we may represent the vertex v = ((-- - (v', à) +-+), in) (where 
i1,---,%n € {0,1}) by L(v)i,...in instead of simply /(v) = /(v") (see Example 2). 


Definition 6. Let [F] be an arena and v one of its vertices. The depth of v is 
the number d(v) of vertices in a — -path from v to a vertex in Rjp 3. The address 


of v is defined as the unique sequence of modal vertices add(v) = m4,...,mj in 
Vir] corresponding to the sequence of modalities in the path in the formula tree 
of F connecting the node of v to the root. If add(v) = mi,..., Mn, we denote 


by add^(v) = my, its kt element and we call the height of v (denoted h,) the 
number of elements in add(v). 


Example 2. Below an alternative representation of its arena of the formula (a — 
(b — (c > Ud))) (e — f) in Equation (8) where the ambiguity of the 
vertex representation is avoided by the use of indices, the corresponding formula- 
tree, and the complete list of the addresses of all vertices in this arena. 


> add(a) =€ 
> = e add(Oo11110)=€ 
a *D011110 z010 a^ 0011110 bom add(b) =Oo11110 
ert t Pai b add(c) =Oo11110 
3 e f |add(ū010) =0011110 
; E pe S> add(d) =00111100010 
E d ce "Pip add(nig =e 
1 add(e) -Ujo 
i add(f)  =010 


5.2 Games and Winning Innocent Strategies 


In this subsection, we briefly recall the definitions of games and winning strate- 
gies from [5] required to make the paper self-contained. Note that differently from 
the previous works, we here include the additional information of the pointer 


3 As proven in [6,26], arenas are stratified, that is, all the —-path from a vertex v to 
any vertex in App, have the same length. Therefore the number d(v) is well-defined. 
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function in the definition of views. This information is crucial for the results 
in Sect. 4 where we provide a one-to-one correspondence between our winning 
strategies and modal A-terms. 


Definition 7. Let A be an arena. We call a move an occurrence of a vertez v 
of A with €(v) # O. The polarity of a move v is the parity of d(v): a move is a 
o-move (resp. a e-move) if d(v) is even (resp. odd). 

A pointed sequence in A is a pair p = (s, f) where s = So,...,5n is a finite 
sequences of moves in A and a pointer function f: {1,...,n} — (0,...,n— 1] 
such that f(i) < i and sis). The length of p (denoted |p|) is defined as the 
length of s, that is, |p| = n+ 1. Note that we also use e to denote the empty 
pointed sequence (e, ØY. 


Remark 4. It follows by definition of view that the player o (resp. e) can only 
play vertices whose d(v) is even (resp. odd). For this reason, for each v € Vg we 
write v? (resp. v*) if the parity of d(v) even (resp. odd). 

Note that the parity of a modality in the address of a move may not be the 
same as the parity of the move itself. By means of example, consider the vertex 
c in Example 2 which belongs in the scope of two modalities [1911110 and C010 
with odd parity. 


Given two pointed sequences p = (s, f) and p’ = (s', f^) in A, we write p E p’ 
whenever s is a prefix of s' (thus |s| < |s'|) and f(i) = f'(i) for all i € {1,..., |p’|} 
and we say that p is a predecessor of p’ if p C p’ and |p| = |p’| — 1. 


Definition 8. Let A be an arena. A play on A is a pointed sequence p — (s, f) 
such that, either s = €, or s; and s;j,4 have opposite polarities for all i € 
{0,.-.,[p| 1). 
The game of A (denoted Ga) is the set of prefix-closed sets of plays over A. 
A view is a play p = (s, f) such that either p = € or the following properties 


hold: 
- p is o-shortsighted : f(2k) = 2k — 1 for every 2k € {2,...,|p|}; 


- p is e-uniform : (Sog 41) = (Sax) for every 2k +1 € (0,...,|pl). 


A winning innocent strategy (or WIS for short) for the game Ga is a finite 
non-empty prefix-closed set S of views in Ga such that: 
- S is o-complete: if p € S$ and p as odd length, 
then every successor of p (in Ga) is also in S ; 
- p is e-total: if p € S and p has even length, 
then exactly one successor of p (in Ga) is in S ; 
A view is maximal in S if it is not prefix of any other view in S. S is trivial if 
S = (e). We say that S is a WIS for a sequent A1,..., A, F C if S is a WIS for 
[41,..., An F C]. 


The definition of WIS above is a reformulation of the one in the literature 
of game semantics for intuitionistic propositional logic [14, 26,29]. In presence 
of modalities, this definition requires to be refined to guarantee the possibility 
of gather modalities in batches corresponding to the modalities introduced by a 
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E D n. Di 
Arena [(Ga) > a] = [ue [(Ga > ob) > O(a > b)] = ; l. l 
lo a po 
WIS Sı = (e a^,aa*) S5 = (e b^, b° b°, b° b'a’, b°b*a°a*} 
ax 
brb 
f FAIL FAIL _ bath 
(failed) Data ka 7 brab 
Derivation AR ko 
Oa >a ae Da D*b + D° (a > b) 
Da  u'b + O° (a b) 
F (0°a > D°b) > 0° (a > b) 


Fig. 6. Examples of WISs for arenas not corresponding to proofs. 


single application of the K (see Fig. 2). By means of example, consider the fol- 
lowing arenas and their corresponding WISs, which cannot represent valid proofs 
in CK because of the impossibility of applying rules handling the modalities in 
a correct way. 


Example 3. Consider the formulas F; = (Oa) — a and F5 = (Ua ^ Ob) ^ 
(a — b) and their arenas in Fig. 6. The set of views 5, and $ are WISs for F; 
and F> respectively. However, these formulas are not provable in SCK because 
the proof search fails (see Fig. 6). In particular, in the first case, no K= can be 
applied because only there is a mismatch between the modalities on the left-hand 
side and on the right-hand side of the sequent; in the second case the problem is 
more subtle and, intuitively, is related to the fact that each K- can remove only 
a single LI? at a time, corresponding to the modality of the unique formula on 
the right-hand side of the sequent. 


Therefore, in order to capture provability in CK, the notion of winning strate- 
gies has to be refined as follows. 


Definition 9. Let p = (s, f) be a view in a strategy S on an arena A, and let 
hy = 1 + max(h, | v € p). We define the batched view of p as the hy x n matrix 
F(p) = (7(p)o.....7(p)u) with elements in Vg U (e) such that the each column 
T (p); is defined as follows: 


h, a hi hp—hp, 

F(p)” F(p)? = add” (p,),..., F(p);” "+ = add! (pj) 
s(pi-| : where 4 (p^ ™ =e,..., F(p)} =€ 

F(p)? F(p)? = pi 


We say that p is well-batched if |add(s2%)| = |add(S2%+1)| for every 2k € {0,..., 
|p| — 1}. Each well-batched view p induces an equivalence relation È over Vg 


generated by: 


uiw if u= F(p)}, and w = F(p)3,4, fora2k « n—1 and a h € hp 


(9) 


358 M. Acclavio et al. 


A WIS S is linked if it contains only well-batched views and if for every p € S 


the -classes are of the shape (v$,... , u9, w°}. 
A CK-winning innocent strategy (or CK-WIS for short) is a linked WIS S. + 


Example 4. Consider the arenas in Fig. 6. The batched view of the (unique) max- 


e. o 


o . o 
: : : € 10 4010 H000 —10 
imal views in S$; and .$5 are and 
T 2 a? "i b? be a? a* 


first is not well-batched because a? has height 0 while a* has height 1, while the 


second, even if well-batched, is not linked because the 9 class (E35; £010; A000} 
contains two LI°. 


respectively. The 


The definition of CK-WISs allows us to obtain a full-completeness result with 
respect to CK which, together with the good compositionality properties of CK- 
WISs shown in [5,11], provides a full-complete denotational semantics for the 
logic CK. That is, every given CK-WIS is the encoding of a derivation in CK, and 
if a derivation D reduces via cut-elimination to a derivation D’, then they are 
encoded by the same CK-WIS. 


Theorem 4 ([5]). The set of CK-WISs is a full-complete denotational model for 
CK. 


5.3 Full Completeness for Modal Lambda Terms in Normal Form 


We can prove the full completeness result using the type system CK* and rely- 
ing on Theorem 3. For this purpose, we have to extend the definition of a- 
equivalence from terms to type assignments in order to avoid technicality in 
our proofs, since in arenas we keep no track of variable names. For example, 
consider the a-equivalent terms Az.r and Ay.y whose derivation should be con- 
sidered non-equivalent due to the fact that a-equivalence does not extends to 
type assignments, therefore the two occurrence of the axiom rule with conclusion 
x:ata:aand y:at y:a should be considered distinct.” 


Definition 10. Let A,,...,A, F C be a sequent. We define A(T + C) as the 
set of terms M such that the typing derivation zı : A1,...,24 : Au. F- M : C is 
derivable, that is, 


A(T E C) = {M E A| a1: Al,...,2n : AnH M:C© is derivable for some 21,.:- 480) . 


If M,N € A(T F C), we define M =1'° N as the smallest equivalence rela- 
M (zy... zu] Xp eee X8) = N (zi... zu yn Yn} 


tion generated by the rule MCN 


zi is fresh. 


^ We here provide a simpler definition of CK-WISs w.r.t. the one in [5]. In fact, we are 
able here to simplify this definition because we are considering the Q-free fragment 
of CK. 

5 Note that another possible way to deal with this problem is to label non-modal ver- 
tices of arenas by pairs of propositional atoms and variables instead of propositional 
variables only. 
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oT 
mJ = {e,c°,c°c*} R T, xı : Aq,..-,%, i: An MC = {D} 
dene onse "rea M: (An. An) >C 


oll 
P" ioci ct Ni ils mp=lec,ccjUl{ercple#p E {gD} foraie {l,...,n}} 
t T,y: (Aı eta An) > cK YN, Na: 


ol 

a ol) M : Chh = (f.(p)|p e (D'J, f» isomorphism between [I + M : C] and [o(") - M : CI} 
TtM:C 

where f,(p) is the view obtained by applying f> to each move in p (and updating its pointer accordingly) 


oT 
Xp LÀ, X LAE MC ={D'} 
ko 
A,y, :GA,..., Yn | An F M [x, xs] yrs Ynla : OC 


{ Dill j Doll 
j y 2 "ov: de 
k T,A t Tij Aij ET ET D,4,xi : OBy,...,%, : OB, FM [Xi esa Z Vi Yn Wla : OC 


ET, fi: Ate Aik) 2 BB,..., fi: Gus Ag) > OB, + M[N..., Nas Z/yy y Wla : OC 
a Er D MMC 2 ME NRI (rc bl 


(Dol U (Uien, [tp Le p e (D) fora j € (.....]) 


where c° (resp. b?) is the unique non-o vertex in Ryacy (resp. in [08;]). 


Fig.7. Rules to construct a CK-WIS from a type derivation in CK". For reasons of 
readability, we assume there is an implicit map identifying the moves in the arenas of 
the type assignment in the premises with the moves in the arena of the type assignment 
in the conclusion. Note that c° and c° are occurrences of the same atom c, but we have 
decorate them to improve readability. 


From now on, we consider derivations up the a-equivalence defined above, 
that is, we consider derivations up to renaming of the variables occurring in a 
typing context. 


Theorem 5. There is a one-to-one correspondence between terms in An A( H 


C) and CK-WIS for DEC. 


Proof. Given a CK-WIS S$ for I' - C, we can define a (unique) typing derivation 
D; in CKF of a term T; € AN A(T F C) by induction on the lexicographic order 
over the pairs (|.5|, |C]) reasoning on the inductive definition of A. 

Similarly, given a type assignment I’ H T : C. foraT € A, then, by Theorem 
3, there is a (unique) derivation Dr in CK’. We define Sr as the CK-WIS defined 
by induction on the number of rules in Dr using the rules in Fig. 7. We conclude 
since we have that Sp, = $ and Tsp, = T by definition. 


6 Conclusion 


In this paper we introduced a new modal A-calculus for the -free fragment 
of the constructive modal logic CK (without conjunction or disjunction). This 
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lambda calculus builds on the work in [32], by adding a restricted 7-reduction as 
well as two new reduction rules dealing with the explicit substitution constructor 
used to model the modality O. We proved normalization and confluence for this 
calculus and we provide a one-to-one correspondence between the set of terms in 
normal form and the set of winning strategies for the logic CK introduced in [5]. 

We foresee the possibility of extending the result presented in this paper 
to the entire disjunction-free fragment of CK, for which winning strategies are 
already defined in [5]. For this purpose, we should consider additional term 
constructors for terms whose type is a conjunction, as well as a new Let-like 
operator to model terms whose type is the modality -formula similar to the 
one proposed in [10]. For this reason, in future works we plan to reformulate 
our lambda-calculus in the light of the novel line of research on calculi with 
explicit substitutions [1,2,34,35]. This approach would allow us to simplify some 
of the technicalities and achieve a more elegant operational semantics. Another 
interesting prospective is to extend our approach to operational semantics to the 
Fitch-style modal A-calculus studied in [53]. 

At the same time, we plan to make explicit that our game semantics pro- 
vides a concrete model for the cartesian closed categories provided with a strong 
monoidal endofunctor [10,33]. Indeed, categorical semantics of the calculus in 
[10] is modeled by means of cartesian closed categories equipped with a strong 
monoidal endofunctor taking into account the proof-theoretical behavior of the 
-modality. We further conjecture that the syntactic category obtained via the 
quotient of modal terms modulo the relations we introduce in this paper is 
indeed a free cartesian closed category on a set of atoms with a strong monoidal 
endofunctor. 
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Abstract. This work is the first exploration of proof-theoretic seman- 
tics for a substructural logic. It focuses on the base-extension semantics 
(B-eS) for intuitionistic multiplicative linear logic (IMLL). The starting 
point is a review of Sandqvist’s B-eS for intuitionistic propositional logic 
(IPL), for which we propose an alternative treatment of conjunction that 
takes the form of the generalized elimination rule for the connective. The 
resulting semantics is shown to be sound and complete. This motivates 
our main contribution, a B-eS for IMLL, in which the definitions of the 
logical constants all take the form of their elimination rule and for which 
soundness and completeness are established. 


Keywords: Logic : Semantics - Proof Theory - Proof-theoretic 
Semantics * Substructural Logic - Multiplicative Connectives 


1 Introduction 


In model-theoretic semantics (M-tS), logical consequence is defined in terms of 
models; that is, abstract mathematical structures in which propositions are inter- 
preted and their truth is judged. As Schroeder-Heister [33] explains, in the stan- 
dard reading given by Tarski [38,39], a propositional formula q follows model- 
theoretically from a context I iff every model of T is a model of y; that is, 


[Ey iff for all models M, if M E v for all v ET, then M E v 


Therefore, consequence is understood as the transmission of truth. Importantly, 
on this plan, meaning and validity are characterized is terms of truth. 
Proof-theoretic semantics (P-tS) is an alternative approach to meaning and 
validity in which they are characterized in terms of proofs—understood as objects 
denoting collections of acceptable inferences from accepted premisses. This is 
subtle. It is not that one desires a proof system that precisely characterizes the 
consequences of the logic of interest, but rather that one desires to express the 
meaning of the logical constants in terms of proofs and provability. Indeed, as 
Schroeder-Heister [33] observes, since no formal system is fixed (only notions of 
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inference) the relationship between semantics and provability remains the same 
as it has always been—in particular, soundness and completeness are desirable 
features of formal systems. Essentially, what differs is that proofs serve the role 
of truth in model-theoretic semantics. The semantic paradigm supporting P-tS is 
inferentialism—the view that meaning (or validity) arises from rules of inference 
(see Brandom [5]). 

To illustrate the paradigmatic shift from M-tS to P-tS, consider the propo- 
sition ‘Tammy is a vixen’. What does it mean? Intuitively, it means, somehow, 
‘Tammy is female’ and ‘Tammy is a fox’. On inferentialism, its meaning is given 
by the rules, 


Tammy is a fox Tammy is female Tammy is a vixen Tammy is a vixen 


Tammy is a vixen Tammy is female Tammy is a fox 


These merit comparison with the laws governing A in IPL, which justify the 
sense in which the above proposition is a conjunction: 


ev pray g^% 
paw p V 


There are two major branches of P-tS: proof-theoretic validity (P-tV) in the 
Dummett-Prawitz tradition (see, for example, Schroeder-Heister [32]) and base- 
extension semantics (B-eS) in the sense of, for example, Sandqvist [28-30]. The 
former is a semantics of arguments, and the latter is a semantics of a logic, but 
both are proof-theoretic semantics. This paper is concerned with the latter as 
explained below. 

Tennant [40] provides a general motivation for P-tV: reading a consequence 
judgement [ Fy proof-theoretically—that is, that y follows by some reasoning 
from I'—demands a notion of valid argument that encapsulates what the forms 
of valid reasoning are. That is, we require explicating the semantic conditions 
required for an argument that witnesses 


V1, ..., Wn; therefore, v 


to be valid. A particular motivation comes from the following programmatic 
remarks by Gentzen [37]: 


The introductions represent, as it were, the ‘definitions’ of the symbols 
concerned, and the eliminations are no more, in the final analysis, than the 
consequences of these definitions. This fact may be expressed as follows: In 
eliminating a symbol, we may use the formula with whose terminal symbol 
we are dealing only ‘in the sense afforded it by the introduction of that 
symbol’. 


Dummett [9] developed a philosophical understanding of the normalization 
results of Prawitz [25], which give a kind of priority to the introduction rules, that 
yields a notion of valid arguments. The result is P-tV—see Schroeder-Heister [32] 
for a succinct explanation. 
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(At ke p iff Lp 
(= z p>y if play 
(A ka ^v iff Ike yand lke v 
(V Lg yovv iff for any @ such that Z C @ and any p € A, 
if ọ lke p and w Ikẹ p, then Ikẹ p 
(L ke L iff lke p for any p € A 
(Inf) Ilka » iff for any € such that ZC G, 


if Ike V for any V € V, then lke v 


Fig. 1. Sandqvist’s Support in a Base 


More generally, P-tV is about defining a notion of validity of objects witness- 
ing that a formula q follows by some reasoning from a collection of formulae r. 
'This is quite different from simply giving an interpretation of proofs from some 
formal system; for example, while the version of P-tV discussed above is closely 
related to the BHK interpretation of IPL, it is important to distinguish the 
semantic and computational aspects—see, for example, Schroeder-Heister [32]. 

Meanwhile, B-eS proceeds via a judgement called support defined inductively 
according to the structure of formulas with the base case (i.e., the support of 
atoms) given by proof in a base. A base is a set of inference rules over atomic 
propositions, thought of as defining those atoms—an example is the set of rules 
above that define "Tammy is a vixen'. Though this approach is closely related to 
possible world semantics in the sense of Beth [2] and Kripke [17]—see, for exam- 
ple, Goldfarb [13] and Makinson [18]—it remains subtle. For example, there are 
several incompleteness results for intuitionistic logics—see, for example, Piecha 
et al. [20,21,23], Goldfarb [13], Sandqvist [27-30], Stafford [36]. Significantly, a 
sound and complete B-eS for IPL has been given by Sandqvist [29]. Gheorghiu 
and Pym [10] have shown that this B-eS captures the declarative content of 
P-tV. 

Sandqvist’s B-eS for IPL is the point of departure for this paper. Fix a set 
of atomic propositions A. Given a base ¥, we write kg p to denote that p € A 
can be derived in Z. Support in a base @—denoted lEz—is defined by the 
clauses of Fig. 1 in which IT Z Ø. We desire to give an analogous semantics for 
intuitionistic multiplicative linear logic (IMLL). We study this logic as it is the 
minimal setting in which we can explore how to set-up B-eS (and P-tS in general) 
for substructural logics, which enables extension to, for example, (intuitionistic) 
Linear Logic [11] and the logic of Bunched Implications [19]. Again, the aim is 
not simply to give a proof-theoretic interpretation of IMLL, which already exist, 
but to define the logical constants in terms of proofs. 

A compelling reading of IMLL is its resource interpretation, which is inher- 
ently proof-theoretic—see Girard [11]. Accordingly, looking at (Inf), we expect 
that y being supported in a base # relative to some multiset of formulas T 
means that the ‘resources’ garnered by I suffice to produce y. We may express 
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this by enriching the notion of support with multisets of resources P and U 
combined with multiset union—denoted ,. Then, that the resources garnered 
by T are given to y is captured by the following property: 


DL, iff for any 2 2 Band any U, if I T, then iby” o 
Naively, we may define & as a resource-sensitive version of (^); that is, 
IE, p@w iff there are P4, P such that P = (P4,P3), IK y, and IH? w 


While the semantics is sound, proving completeness is more subtle. We aim to 
follow the method by Sandqvist [30], and this clause is not suitable because the 
following is not the case for IMLL: 


Try@w iff there are A1, A2 such that T = (A1,A5), Ai Fy, and Ag ky 


—a counter-example is the case where T is the (singleton) multiset consisting of 
y®w, which denies any non-trivial partition into smaller multisets. We therefore 
take a more complex clause, which is inspired by the treatment of disjunction in 
IPL, that enables us to prove completeness using the approach by Sandqvist [29]. 

There is an obvious difference between the B-eS for IPL and its standard 
possible world semantics by Kripke [17]—namely, the treatment of disjunction 
(V) and absurdity (.L). The possible world semantics has the clause, 


M, x I- ova iff M, x lk y or WM, x lk w 


If such a clause is taken in the definition of validity in a B-eS for IPL, it leads 
to incompleteness —see, for example Piecha and Schroeder-Heister [20,21]. To 
yield completeness, Sandqvist [30] uses a more complex form that is close to 
the elimination rule for disjunction in natural deduction (see Gentzen [37] and 
Prawitz [24])—that is, 


lka op V v iff for any @ such that Z C @ and any p € A, 
if ol; p and v lke p, then Ikẹ p 


One justification for the clauses is the principle of definitional reflection (DR) 
(see Hallnàs [14,15] and Schroeder-Heister [31]): 


whatever follows from all the premisses of an assertion also follows from 
the assertion itself 


Taking the perspective that the introduction rules are definitions, DR. provides 
an answer for the way in which the elimination rules follow. Similarly, it justifies 
that the clauses for the logical constants take the form of their elimination rules. 

Why does the clause for conjunction (^) not take the form given by DR? 
What DR gives is the generalized elimination rule, 


QV 
DUET ley ] 
X 
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We may modify the B-eS for IPL by replacing (^) with the following: 
(A*) lke pAw iff for any € D Band any p € A, if o, v Iz p, then lz p 


We show in Sect. 2.3 that the result does indeed characterize IPL. Indeed, it is 
easy to see that the generalized elimination rule and usual elimination rule for 
^ have the same expressive power. 

Note, we here take the definitional view of the introduction rules for the 
logical constants of IPL, and not of bases themselves, thus do not contradict the 
distinctions made by Piecha and Schroeder-Heister [22,34]. 

Taking this analysis into consideration, we take the following definition of 
the multiplicative conjunction that corresponds to the definitional reflection of 
its introduction rule: 


IE yew iff for any 2 2 Z, resources U, and p € A, 
if yyw IY p, then I^ p 


We show in Sect. 4 that the result does indeed characterize IMLL. 

The paper is structured as follows: in Sect. 2, we review the B-eS for IPL given 
by Sandqvist [29]; in Sect. 3, we define IMLL and provide intuitions about its B- 
e$; in Sect. 4, we formally define the B-eS for IMLL and explain its soundness and 
completeness proofs. The paper ends in Sect. 5 with a conclusion and summary 
of results. 


2 Base-Extension Semantics for IPL 


In this section, we review the B-eS for IPL given by Sandqvist [29]. In Sect. 2.1, 
we give a terse but complete definition of the B-eS for IPL. In Sect.2.2, we 
summarize the completeness proof. Finally, in Sect. 2.3, we discuss a modification 
of the treatment of conjunction. While IPL is not the focus of this paper, this 
review provides intuition and motivates the B-eS for IMLL in Sect. 3. Specifically, 
the analysis of the treatment of conjunction in IPL motivates the handling of 
the multiplicative conjunction in IMLL. 

Throughout this section, we fix a denumerable set of atomic propositions A, 
and the following conventions: p, q,... denote atoms; P,Q,... denote finite sets 
of atoms; Q,15,0,... denote formulas; T, A,... denote finite sets of formulas. 

We forego an introduction to IPL, which is doubless familiar—see van 
Dalen [7]. For clarity, note that we distinguish sequents T > from judgements 
T Fo that say that the sequent is valid in IPL. 


2.1 Support in a Base 


The B-eS for IPL begins by defining derivability in a base. A (properly) second- 
level atomic rule—see Piecha and Schroeder-Heister [22,34]— is a natural deduc- 
tion rule of the following form, in which q, q1, ..., qn are atoms and Q,...,Qn are 
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(possibly empty) sets of atoms: 


qi ysi dn 
q q 


Importantly, atomic rules are taken per se and not closed under substitution. 
They may be expressed inline as (Q1 > q1,...,Q, > qn) = q—note, the axiom 
case is the special case when the left-hand side is empty, — q. They are read 
as natural deduction rules in the sense of Gentzen [37]; thus, = q means that 
the atom q may be concluded whenever, while (Q1 > q1,..., Qn P qn) = q means 
that one may derive q from a set of atoms S if one has derived q; from S assuming 
Q; for i = 1,...,n. 

A base is a set of atomic rules. We write Z,@,... to denote bases, and Ø to 
denote the empty base (i.e., the base with no rules). We say @ is an extension 
of Z if € is a superset of Z, denoted €? D Z. 


Definition 1 (Derivability in a Base). Derivability in a base Z is the least 
relation kg satisfying the following: 


(Ref-IPL) S,q Ez q. 
(App-IPL) If atomic rule (Q1 > q1,..., Qu P qn) > q is in Z, and S, Q; Ez qi 
for all à 2 1,...,n, then S Ez q. 


This forms the base case of the B-eS for IPL: 


Definition 2 (Sandqvist's Support in a Base). Sandqvist's support in a 
base @ is the least relation lkg defined by the clauses of Fig. 1. A sequent T > p 
is valid —denoted T l- qo —iff it is supported in every base, 


Do iff T lkg y holds for any B 


Every base is an extension of the empty base (2), therefore [ lF y iff T Ite q. 
Sandqvist [29] showed that this semantics characterizes IPL: 


Theorem 1 (Sandqvist [29]). [ky iff V IF 


Soundness—that is, T Fy implies I lk y—follows from showing that l-respects 
the rules of Gentzen's [37] NJ; for example, T l- o and A I- implies D, A lc «Aw. 
Completeness—that is, IT I- p implies T F y—is more subtle. We present the 
argument in Sect. 2.2 as it motivates the work in Sect. 4.3. 


2.2 Completeness of IPL 


We require to show that T l-« implies that there is an NJ-proof witnessing [ Fy. 
To this end, we associate to each sub-formula p of TU {y} a unique atom r, and 
construct a base -V such that r behaves in “~ as p behaves in NJ. Moreover, 
formulas and their atomizations are semantically equivalent in any extension 
of M so that support in f characterizes both validity and provability. When 
p € A, we take r :— p, but for complex p we choose r to be alien to T and y. 
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poc =, (pAo)? e AY OP (p> c» 


(p ^c) p E o E o E 
b 
b b [o ] 
b [e] [e] b 
P KS. y PV p P g A 
(p V a) (p V e)' p Ve (p— a) p EFQ 


Fig. 2. Atomic System M 


Example 1. Suppose p := p ^q is a sub-formula of IF U {yp}. Associate to it a 
fresh atom r. Since the principal connective of p is ^, we require “M to contain 
the following rules: 


p d r r 
r p q 
We may write (p ^ q)’ for r so that these rules may be expressed as follows: 
Pa,  (p^q* pad 
(pq) p q m 


Formally, given a judgement I IF y, to every sub-formula p associate a unique 
atomic proposition p? as follows: 


— if p ZA, then p’ is an atom that does not occur in any formula in T U (ok 
— if p € A, then p? = p. 


By unique we mean that (-)" is injective—that is, if p Z c, then o? Z o’. The 
left-inverse of (-)’ is (-)5, and the domain may be extended to the entirety of 
A by identity on atoms not in the codomain of (-)’. Both functions act on sets 
pointwise—that is, X? :— {y’ | p € X] and P* :— (p! | p € P). Relative to (-)?, 
let M be the base containing the rules of Fig. 2 for any sub-formulas p and o of 
T and y, and any p € A. 

Sandqvist [29] establishes three claims that deliver completeness: 


(IPL-AtComp) Let S C A and p € A and let Z be a base: S lzz p iff S kg p. 
(IPL-Flat) For any sub-formula £ of T U (o) and M’ D N: Icy: @ iff ly» €. 
(IPL-Nat) Let S C A and p € A: if Sky p, then S! Hp’. 


The first claim is completeness in the atomic case. The second claim is that £? 
and € are equivalent in .”—that is, € |ky € and € lky £. Consequently, 


Piw p iff Tiwo 
The third claim is the simulation statement which allows us to make the final 
move from derivability in A^ to derivability in NJ. 


Proof (Theorem 1—Completeness). Assume T IF y and let -V be its bespoke 
base. By (IPL-Flat), I? lI °. Hence, by (IPL-AtComp), I? ky q^. Whence, 
by (IPL-Nat), (T°)! H(p)’, i.e. T Hy, as required. 
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2.8 Base-Extension Semantics for IPL, Revisited 


Goldfarb [13,23] has also given a (complete) proof-theoretic semantics for IPL, 
but it mimics Kripke’s [17] semantics. What is interesting about the B-eS in 
Sandqvist [29] is the way in which it is not a representation of the possible 
world semantics. This is most clearly seen in (V), which takes the form of the 
‘second-order’ definition of disjunction—that is, 


U +V =YX((U => X) > (U => X) > X) 


—see Girard [12] and Negri [41]. This adumbrates the categorical perspective on 
B-eS given by Pym et al. [26]. Proof-theoretically, the clause recalls the elimina- 
tion rule for the connective restricted to atomic conclusions, 


we el i 
p 


Dummett [9] has shown that such restriction in NJ is without loss of expressive 
power. Indeed, all of the clauses in Fig. 1 may be regarded as taking the form of 
the corresponding elimination rules. 

'The principle of definitional reflection, as described in Sect.1 justifies this 
phenomenon. According to this principle, an alternative candidate clause for 
conjunction is as follows: 


(A*) IÉ, ^w iff for any € 2 Zand any p € A, if o, v I p, then IZ, p 


Definition 3. The relation lf, is defined by the clauses of Fig. 1 with (^*) in 
place of (^). The judgement T IF p obtains iff T IE; p for any 2B. 


'The resulting semantics is sound and complete for IPL: 


Theorem 2. [IF v iff T Fy. 
Proof. We assume the following: for arbitrary base %2, and formulas q, v, x, 


(IPL*-Monotone) If I; y, then Ik, ọ for any € D Z. 
(IPL*-AndCut) If lk, pA v and o, v I; x, then IF, x. 


The first claim follows easily from (Inf). The second is a generalization of (^*); it 
follows by induction on the structure of x—an analogous treatment of disjunction 
was given by Sandqvist [29]. 

By Theorem 1, it suffices to show that T IF y iff T IF o. For this it suffices 
to show IF, 0 iff Ikg 0 for arbitrary Z and 0. We proceed by induction on the 
structure of 0. Since the two relations are defined identically except in the case 
when the 0 is a conjunction, we restrict attention to this case. 

First, we show lkg 61 ^ 65 implies IF, 61 ^ 605. By (A*), the conclusion is 
equivalent to the following: for any @ 2 Z and p € A, if 61,05 I, p, then IF p. 
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Therefore, fix @ 2 Z and p € A such that 01,05 IF, p. By (Inf), this entails 
the following: if IF, 04 and IR, 65, then IZ, p. By (^) on the assumption (i.e., 
kg 01 ^05), we obtain lEz 04 and lkg 62. Hence, by the induction hypothesis (IH), 
Éz 0; and IE; 02. Whence, by (IPL*-Monotone), If, 0; and IE; 62. Therefore, 
^ p. We have thus shown l2; 01 ^ 05, as required. 

Second, we show I; 0; ^05 implies IFz 01 ^05. It is easy to see that 01, 02 I, 0; 
obtains for i = 1,2. Applying (IPL*-AndCut) (setting y = 01, Y = 05) once with 
X = 0, and once with x = 0z yields |; 6, and If? 05. By the IH, lky 6; and 
lke 05. Hence, lkg 01 ^ 05, as required. 


A curious feature of the new semantics is that the meaning of the context- 
former (i.e., the comma) is not interpreted as ^; that is, defining the context- 
former as 


we may express (Inf) 
T lrg o iff for any € 2 Z, if I, D, then Iz, p 


'The clause for contexts is not the same as the clause for ^ in the new semantics. 
Nonetheless, as shown in the proof of Theorem 2, they are equivalent at every 
base—that is, IFy y, v iff IFz p ^ v for any 2. 

This equivalence of the two semantics yields the following: 


Corollary 1. For arbitrary base Z and formula ¢, lcz p iff, for any 2 DA 
and every atom p, if y lkx p, then lc» p. 


The significance of this result is that we see that formulas in the B-eS are 
precisely characterized by their support of atoms. 


3 Intuitionistic Multiplicative Linear Logic 


Having reviewed the B-eS for IPL, we turn now to intuitionistic multiplicative 
linear logic (IMLL). We first define the logic and then consider the challenges 
of giving a B-eS for it. This motivates the technical work in Sect. 4. Henceforth, 
we abandon the notation of the previous section as we do not need it and may 
recycle symbols and conventions. 

Fix a countably infinite set A of atoms. 


Definition 4 (Formula). The set of formulas (Formimi) is defined by the 
following grammar: 


Q,U:-peAleev|Il|o-ev 


We use p,q,... for atoms and y,v,x,... for formulas. In contrast to the 
work on IPL, collections of formulas in IMLL are more typically multisets. We 
use P, Q,... for finite multisets of atoms, and I, A,... to denote finite multisets 
of formulas. 
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Dorv " Toy-y Ary i I 
ppg * Toy EET DAPv Spl! 
Toy Appl Toppy Aby LUPocov BSga PX... 

UPjAPo ^  TLT,APBQGy ^ DT,APX 5 


Fig. 3. The Sequential Natural Deduction System NIMLL for IMLL 


We use [-] to specify a multiset; for example, [y, y, v] denotes the multiset 
consisting of two occurrence of y and one occurrences of Y. The empty multiset 
(i.e., the multiset with no members) is denoted Ø. The union of two multisets T 
and A is denoted D, A. We may identify a multiset containing one element with 
the element itself; thus, we may write v, A instead of |]; A to denote the union 
of multiset A and the singleton multiset [v]. Thus, when no confusion arises, we 
may write Y19..-9Yn to denote [v1, ..., Pn]. 


Definition 5 (Sequent). A sequent is a pair I P y in which T is a multiset of 
formulas and ọ is a formula. 


We characterize IMLL by proof in a natural deduction system. Since it is a 
substructural logic, we write the system in the format of a sequent calculus as 
this represents the context management explicitly. We assume general familiarity 
with sequent calculi—see, for example, Troelstra and Schwichtenberg [41]. 


Definition 6 (System NIMLL). The sequential natural deduction system for 
IMLL, denoted NIMLL, is given by the rules in Fig. 3. 


A sequent I > y is a consequence of IMLL—denoted T F y—iff there is a 
NIMLL-proof of it. 

One may regard IMLL as IPL without the structural rules of weakening and 
contraction—see Dosen [8]. In other words, adding the following rules to NIMLL 
recovers a sequent calculus for IPL: 


rogy w A,A PC 
A, ey A, ey 


To stay close to the work in Sect. 2, it is instructive to consider the natu- 
ral deduction presentation, too. The rule figures may be the same, but their 
application is not; for example, 

p 
pY 


means ifl'- v and AF y, thenT,AF o6 v 
(i.e., not ʻfT F y and T F y, then TF e & v») 


Here, it is important that the context are multisets, not as sets. 
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The strict context management in IMLL yields the celebrated ‘resource inter- 
pretations’ of Linear Logic—see Girard [11]. The leading example of which is, 
perhaps, the number-of-uses reading in which a proof of a formula p —e wv 
determines a function that uses its arguments exactly once. This reading is, 
however, entirely proof-theoretic and is not expressed in the truth-functional 
semantics of IMLL—see Girard [11], Allwein and Dunn [1], and Coumans et 
al. [6]. Though these semantics do have sense of 'resource' it is not via the 
number-of-uses reading, but instead denotational in the sense of the treatment 
of resources in the truth-functional semantics of the logic of Bunched Implica- 
tions [19]. The number-of-uses reading is, however, reflected in the categorical 
semantics—see Seely [35] and Biermann [3,4]. 

How do we render support sensitive to the resource reading? The subtlety is 
that for T lky (where T Z 2), we must somehow transmit the resources captured 
by T to wy. From Corollary 1, we see that in B-eS the content of a formula is 
captured by the atoms it supports. Therefore, we enrich the support relation 
with an multiset of atoms P, 


LIE, iff for any 2 D Z and any U, if IH. T, then II? y 
where 
IZ, Ty,P2 iff there are U, and U2 such that U = (U1 ,U2), I7? T1, and I? T2 


This completes the background on IMLL. 


4 Base-extension Semantics for IMLL 


In this section, we give a B-eS for IMLL. It is structured as follows: first, we 
define support in a base in Sect. 4.1; second, we prove soundness in Sect. 4.2; 
finally, we prove completeness in Sect. 4.3. 


4.1 Support in a Base 


The definition of the B-eS proceeds in line with that for IPL (Sect.2) while 
taking substructurality into consideration. 


Definition 7 (Atomic Sequent). An atomic sequent is a pair P p in which 
P is a multiset of atoms and q is an atom. 


Definition 8 (Atomic Rule). An atomic rule is a pair P — p in which P is 
a (possibly empty) finite set of atomic sequents and p in an atom. 


Definition 9 (Base). A base Z is a (possibly infinite) set of atomic rules. 


Definition 10 (Derivability in a Base). The relation kg of derivability in 
B is the least relation satisfying the following: 


(Ref) ptz p 
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(At) Hp iff P kæp 
(8) ta «Gv iff for any 2 DZ, multiset of atoms U, and atom p, 
if yyw I p, then IZ? p 
(I) I iff for any 2 D Z, multiset of atoms U, and atom p, 
if IK p, then I2?" p 
(9) Ineo if o 
(5) HLT,A iff there are U and V such that P = (U,V), IH, T, and IZ A 
(Inf) T£ v iff for any 2 D Z and any U, if IK T, then ie p 


Fig. 4. Base-extension Semantics for IMLL 


(App) If Si Pi ky pi fori=1,...,n and (P,P p1,...,Pn > Pn) >p € Z, then 
915. ..59n ke p. 


Note the differences between Definition 1 and Definition 10: first, in (Ref), no 
redundant atoms are allowed to appear, while in (Ref-IPL) they may; second, 
in (App), the multisets $1,...,$,, are collected together as a multiset, while in 
(App-IPL), there is one set. These differences reflect the fact in the multiplicative 
setting that ‘resources’ can neither be discharged nor shared. 


Definition 11 (Support). That a sequent T > p is supported in the base 
B using resources S—denoted T |, p—is defined by the clauses of Fig.4 in 
which I and A are non-empty finite multisets of formulas. The sequent T > q is 
supported using resources S—denoted T I? p—iffT I5, « for any base B. The 
sequent T > y is valid—denoted T I- p—iff T > p is supported using the empty 
multiset of resources (i.e., T I? q). 


It is easy to see that Fig. 4 is an inductive definition on a structure of formulas 
that prioritizes conjunction (&) over implication (—c)—an analogous treatment 
in IPL with disjunction (V) prioritized over implication (—) has been given by 
Sandqvist [29]. As explained in Sect.3, the purpose of the multisets of atoms 
S in the support relation D is to express the susbtructurality of the logical 
constants. The naive ways of using multisets of formulas rather than multisets 
of atoms—for example, T I y iff |^ q—results in impredicative definitions 
of support. 

We read (Inf) as saying that T lS, y (for T 4 2) means, for any extension 
X of B, if T is supported in X with some resources U (i.e. IH. I), then ¢ is 


also supported by combining the resources U with the resources S (i.e., E p). 
The following observation on the monotonicity of the semantics with regard 
to base extensions follows immediately by unfolding definitions: 


Proposition 1. [fT l2, o and € 2 B, then T IÈ q. 


From this proposition we see the following: T IM y iff T IK, o, and T lt q iff 
T IZ i. As expected, we do not have monotonicity on resources—that is, I ll? p 
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does not, in general, imply T I-9*7 (5 for arbitrary T. This exposes the different 
parts played by bases and the resources in the semantics: bases are the setting 
in which a formula is supported, resources are tokens used in that setting to 
establish the support. 

A distinguishing aspect of support is the structure of (Inf). In one direction, 
it is merely cut, but in the other it says something stronger. The completeness 
argument will go through the atomic case (analogous to the treatment of IPL in 
Sect. 2.2), and the following proposition suggests that the setup is correct: 


Proposition 2. The following two propositions are equivalent for arbitrary base 
B, multisets of atoms P,S, and atom q, where we assume P = [pi,..., pa]: 


1. P,S hz q. 
2. for any X D B and multisets of atoms T4,..., Tn, if T; kx pj holds for all 
i —]1,...,n, then T1,..., T4,,8 te q. 


It remains to prove soundness and completeness. 


4.2 Soundness 
Theorem 3 (Soundness). [fT F ọ, then T IF y. 


'The argument follows a typical strategy of showing that the semantics respects 
the rules of NIMLL—that is, for any T, A, v, v, and x: 


(Ax) el- e 
(<I) IT, v, then T IF  — v 
(—E) HT FQ -—e v and AIF y, then ',A IE v 
(8I HTI- and AIF v, thenT,Al-/ yaw 
(GE) FTIF y@v and A py IF x, then T,A IE x 
(II) IKI 
(IE) IfT I- x and A IF Z, then DPA l- x 


'These follow quickly from the fact that the clauses of each connective in Fig. 4 
takes the form of its elimination rules. The only subtle cases are (QE) and (JE). 

To show (IE), suppose T l- x and A I- 7. We require to show D,A IF x. By 
(Inf), we fix some base Z and multisets of atoms P and Q such that IH, T and 
I A. It remains to verify i5? x. When x is atomic, this follows immediately 
from IK, x and R I by (I). To handle non-atomic y, we require the following: 


Lemma 1. For arbitrary base Z, multisets of atoms S, T, and formula x, if 1. 
IIS, I, 2. KS x, then 2. 13" x. 


'This lemma follows by induction on the structure of x, with the base case given 
by (I). One cannot use this general form to define I as it would result in an 
impredicative definition of support. 

Similarly, we require the following to prove (@E): 
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—o? : (a > T?) > (e — 7)” —op’ : (ote —o ajase") >r 


QP: (peor?) — (c & r) Gr : (ote & 7 ovr op) =p 


T?:3 7° Ie: (>r, >p) >p 


Fig. 5. Atomic System M 


Lemma 2. For arbitrary base ££, multisets of atoms S, T, and formulas p, Y, x, 
if 1. D Q OG V, 2 oV IL x, then 3. ÈT X. 


With these results, we may prove soundness: 


Proof (Theorem 3 —sketch). We demonstrate (&I) and (@E). 

(GI). Assume T IF- y and A IF w. We require to show D',A IF v & v. By (Inf), 
the conclusion is equivalent to the following: for any base 2, for any multisets 
of atoms T and S , if I T and IH, A, then l2? y & v. So we fix some Z and 
T, S such that IZ T and IZ, A, and show that IH Y G v. By (&), it suffices to 
show, for arbitrary @ 2 Z, multiset of atoms U, and atom p, if y,w ie p, then 
er p. So we fix some @ D &, multiset of atoms U, and atom p such that 
yyw IZ p, and the goal is to show that I DU p. From the assumptions T IF y 
and A IF 4», we see that IT 9 , v obtains. Therefore, by monotonicity, ÉT Qs 
obtains. By (Inf), this suffices for yw IK? p, to yield lee p, as required. 

(E). Assume T IF v & and A,y,w IF x. We require to show D,A IF x. By 
(Inf), it suffices to assume lI, T and IH, A and show that ÈT x. First, T l- pew 
together with IS, T entails that IB, y & v. Second, by (Inf), A, 9, v IF x is 
equivalent to the following: 


for any Z and P,Q, if l5; A and IH pY, then Ij? x 
Since IIT, A, setting P := T and Q := S, yields, 


for any K 2 B, if B- Po, then I8 X (1) 


Now, given ll, y & v» and (1), we can apply Lemma 2 and conclude ŠT X- 


4.3 Completeness 
Theorem 4 (Completeness). IfT IF o, then T - y. 


The argument follows the strategy used by Sanqvist [29] for IPL—see Sect. 2.2. 
We explain the main steps. 

Let Æ be the set of all sub-formulas of I U {yp}. Let (-)’: = — A be an 
injection that is fixed on £ N A—that is, p? = p for p € Z N A. Let C) be the 
left-inverse of (-)’—that is p^ = x if p= x’, and p* = p if p is not in the image 
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of Gy. Both act on multisets of formulas pointwise; that is, A^ = [ó? | ó € A] 
and P! := [p | p € P]. 

We construct a base .@ such that °’ behaves in ./f as y behaves in NIMLL. 
The base -@ contains all instances of the rules of Fig. 5 when o and 7 range over 
=, and p ranges over A. We illustrate how .@ works with an example. 


Example 2. Consider the sequent T > p where I = [p1;p25p1 9 p» — q, pi] and 
p = q8 pı. By definition, E :— (pi; pz; P1 8 P2 — q; p1 8 pz 4,4 Q pi], and, 


therefore, the image of (-)’ is (pi, pa. q, (P1 ® P2 — q)^ (P1 ® pa) (48 p1)^)- 
That T F v obtains is witnessed by the following NIMLL-proof: 


— ax — ax 
pı > pi p2 œ p2 5x 
l 
P19P2 P pi 9 po pi 9 po -qPpi © P2 — q B 
E — ax 
pisp2spi 9 po ~ qq pı > pı a 


pispaspi 9 P2 — qP1 > q 8 pı 


The base .Z is designed so that we may simulate the rules of NIMLL; for 
example, the Qe is simulated by using (App) on Q}, 


(Ø> (o Q TP, PT >y) 2 4? means if A? ky (c & 7) and X o T ky 4h 
then A^, X? ky 4^ 


In this sense, the proof above is simulated by the following steps: 


(i) By (Ref), (1) pı Kw P1; (2) p2 kw pz: (3) (P1 & pa — q)’ kw (Pı Q pa — q)’ 
(ii) By (App), using (&i) on (1) and (2), we obtain (4) p1,p2 kv (pı Q p2)” 
(iii) By (App), using (—¢)’ on (3) and (4), we obtain (5) (pı & pa — q)’ sis 

p2 Fy q 
(iv) By (App), using (@1)’ on (1) and (5). we have (pi & p2 — q)spi ;p2sp1 kw 
(q@pi). 


Significantly, steps (i)-(iv) are analogues of the steps in the proof tree above. m 


Theorem 4 (Completeness) follows from the following three observations, 
which are counterparts to (IPL-AtComp), (IPL-Flat), and (IPL-Nat) from 
Sect. 2.2: 


(IMLL-AtComp) For any Z, P, S, and q, P,Skg q iff P IK, q. 
(IMLL-Flat) For any £ € 5, 2 D M and U, IE. & iff IHD. €. 
(IMLL-Nat) For any P and q, if Pky q then P* F q’. 


(IMLL-AtComp) follows from Proposition 2 and is the base case of complete- 
ness. (IMLL-Flat) formalizes the idea that every formula € appearing in T > € 
behaves the same as £ in any base extending ./. Consequently, I? l-, ° iff 
T lkw y. (IMLL-Nat) intuitively says that 7 is a faithful atomic encoding of 
NIMLL, witnessed by (-)*. This together with (IMLL-Flat) guarantee that every 


£ € E behaves in ./f as & in @, thus as (£*)^ = £ in NIMLL. 
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Proof. (Theorem 4 —Completeness). Assume T IF- y and let ⁄ be the bespoke 
base for IT > y. By (IMLL-Flat), I? I7, i^. Therefore, by (IMLL-AtComp), we 


have I? ky vy’. Finally, by (IMLL-Nat), (r^! H (Cae namely T Fy. 


5 Conclusion 


Proof-theoretic semantics (P-tS) is the paradigm of meaning in logic based on 
proof, as opposed to truth. A particular form of P-tS is base-extension semantics 
(B-eS) in which one defines the logical constants by means of a support relation 
indexed by a base—a system of natural deduction for atomic propositions— 
which grounds the meaning of atoms by proof in that base. This paper provides 
a sound and complete base-extension semantics for intuitionistic multiplicative 
linear logic (IMLL). 

The B-eS for IPL given by Sandqvist [29] provides a strategy for the problem. 
The paper begins with a brief but instructive analysis of this work that reveals 
definitional reflection (DR) as an underlying principle delivering the semantics; 
accordingly, in Sect. 2.3, the paper modifies the B-eS for IPL to strictly adhere to 
DR and proves soundness and completeness of the result. Moreover, the analysis 
highlights that essential to B-eS is a transmission of proof-theoretic content: a 
formula y is supported in a base % relative to a context I iff, for any extension 
€ of B, the formula y is supported in @ whenever I is supported in @. 

With this understanding of B-eS of IPL, the paper gives a ‘resource-sensitive’ 
adaptation by enriching the support relation to carry a multiset of atomic 
‘resources’ that enable the transmission of proof-theoretic content. This captures 
the celebrated ‘resource reading’ of IMLL which is entirely proof-theoretic—see 
Girard [11]. The clauses of the logical constants are then delivered by DR on 
their introduction rules. Having set up the B-eS for IMLL in this principled way, 
soundness and completeness follow symmetrically to the preceding treatment of 
IPL. 

To date, P-tS has largely been restricted to classical and intuitionistic propo- 
sitional logics. This paper provides the first step toward a broader analysis. In 
particular, the analysis in this paper suggests a general methodology for deliver- 
ing B-eS for other substructural logics such as, inter alia, (intuitionistic) Linear 
Logic [11] (LL) and the logic of Bunched Implications [19] (BI). While it is 
straightforward to add the additive connectives of LL, with the evident seman- 
tic clauses following IPL and with the evident additional cases in the proofs, it 
is less apparent how to handle the exponentials. For BI, the primary challenge 
is to appropriately account for the bunched structure of contexts, and to enable 
and confine weakening and contraction to the additive context-former. 

Developing the P-tS for substructural logics is valuable because of their 
deployment in the verification and modelling of systems. Significantly, P-tS has 
shown the be useful in simulation modelling—see, for example, Kuorikoski and 
Reijula [16]. Of course, more generally, we may ask what conditions a logic must 
satisfy in order to provide a B-eS for it. 
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Abstract. This work addresses the maximum satisfiability (MaxSAT) 
problem for a multiset of arbitrary formulas of the language of proposi- 
tional Lukasiewicz logic over the MV-algebra whose universe is the real 
interval [0,1]. First, we reduce the MaxSAT problem to the SAT problem 
over the same algebra. This solution method sets a benchmark for other 
approaches, allowing a classification of the MaxSAT problem in terms of 
metric reductions introduced by Krentel. We later define an alternative 
analytic method with preprocessing in terms of a Tseitin transformation 
of the input, followed by a reduction to a system of linear constraints, 
in analogy to the earlier approaches of Hahnle and Olivetti. We discuss 
various aspects of these approaches to solving the problem. 
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1 Introduction 


Satisfiability is a semantic problem: it relates not just to a logic (here, the infinite- 
valued Lukasiewicz logic), but to a semantics interpreting that logic (here, the 
MV-algebra on the real unit interval with natural order, called “standard MV- 
algebra" and denoted [0, 1]z.). 

A propositional formula o(z1,...,24) of the language of Lukasiewicz logic is 
satisfiable in an MV-algebra .A provided there is an assignment of elements of 
the universe of A to z1,...,2, that yields the value 1^ (i.e., the top element in 
the lattice order of A). This definition determines, for a given MV-algebra A, a 
unique set of its satisfiable formulas SAT(.A). The satisfiability notion extends 
immediately to a finite list of formulas (y1,...,m), which is satisfiable in A if 
and only if so is the conjunction of the formulas on the list.! 


1 It is important to specify which MV-algebra is considered, since for many infinite 
MV-algebras A, and even many subalgebras of [0, 1]j,, the set SAT(A) is distinct 
from SAT([0, 1]g) [16, Theorem 6.6]. Some extant works on satisfiability refer to 
“infinite-valued Lukasiewicz logic" while in fact working with the algebra [0, 1]z.. 
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This paper works with the standard MV-algebra [0, 1]z, without mentioning 
it explicitly from now on; thus we write SAT for SAT((0, 1]z) and likewise for 
the MaxSAT problems considered in this paper. If another algebra, distinct from 
[0, 1]z, is considered, it will be indicated explicitly. 

The focus of this paper is not on satisfiability, but on maximum satisfiability, 
an optimization problem (with a natural decision version): given a multiset (i.e., a 
list) of arbitrary formulas of the language of Lukasiewicz logic, find the maximum 
number among them that can be satisfied under a single assignment, over all 
assignments. The formulas are not required to be in a normal form. It has been 
recognized early on by Mundici [22] that formulas of Lukasiewicz logic are a 
suitable device for counting; his paper gives a reduction of the (decision version 
of) the Boolean MaxSAT problem to the problem SAT; see also [25]. 

'The MaxSAT problem for a list of arbitrary formulas over the three-element 
MV-chain has been addressed in [19], using semantic tableaux; the approach 
generalizes to other finite MV-chains, but not to MV-chains with infinitely many 
elements. Earlier results in satisfiability go back to Mundici's proof of the NP- 
completeness of the SAT problem, obtained by bounding the denominators of a 
satisfying assignment. This line of research was continued in [1,2], see also [27]. 

Our main contribution consists in showing that the MaxSAT problem can be 
reduced to the SAT problem, in Sect. 3, and can then be used as a benchmark to 
assess the analytic method in Sect. 4; a similar analysis could then be performed 
with any other calculi for the maximum satisfiability problem. 

'This paper is structured as follows. Section 2 defines the problem and intro- 
duces technical tools. Section 3 gives a method for solving the MaxSAT problem 
in [0, 1]z, based on a Cook reduction of MaxSAT to the SAT problem. Section 4 
outlines an analytic method with preprocessing via a Tseitin transformation, 
using a variant of the approach of [12,24], where each branch of a tableau tree 
ends with solving a system of linear constraints. The method is proved sound 
and complete. Eliminating the branching of the tree can also be achieved, using 
established tools. 


2 Problem Formulation and Preliminaries 


The language of propositional Lukasiewicz logic L, denoted £(L), has two basic 
connectives: — (negation, unary) and © (strong disjunction, binary). Other con- 
nectives are definable: 1 is xz; 0 is 21; rOy is =(3x@-y) (strong conjunction); 
z yisorGQy vo yis (x > y) © (y > x); x V yis (x — y) y (weak 
disjunction); and x ^ y is =(~7x V ^y) (weak conjunction). 

Well-formed formulas of £(L) are built up from an infinite set of propositional 
variables Var = {2;}ien using the connectives of £(L). The basic language is 
a point of reference for complexity considerations; other connectives are used 
as shortcuts. If y is a formula of £(L) in the basic language, |y| denotes the 
number of occurrences of propositional variables in y. Given that ~~a e a is 
a theorem of L for any formula a € £(L), we will assume double negation does 
not occur in formulas. With this convention in place, the number of occurrences 
of connectives in y is bounded by 2|y|. Thus |y]| is a good notion of length of q. 
Moreover ||y|| denotes the number of distinct subformulas of q. 
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MV-algebras can be introduced using Mundici's I’-functor [10,20]: any MV- 
algebra is isomorphic to ['(G,u) for a lattice-ordered Abelian group G with a 
strong unit u (in particular, define x 6 y = uA (x + y) and ^x = u — x for 
x,y € G; then T (G,u) = ([0,u], 6, —) is an MV-algebra). The standard MV- 
algebra [0, 1]r, is T(R, 1), interpreting the basic connectives in [0,1] as follows: 
for any assignment v, v(^) = 1 —v(o) and u(y @w) = min(1, v(y) -v(v)). Any 
assignment to variables of y in language £(L) extends to all its subformulas in the 
interpretation provided by [0, 1]; this also determines the notion of satisfiability 
in [0, 1]z, and the set of satisfiable formulas of [0, 1]z, denoted SAT. 

The interpretations of 6, ©, ^ and V are commutative and associative, so 
one can write 71 ® +- ® £n without worrying about order and parentheses. We 
write x” for z O:-: O xz and nz for z O--- GO x. Also, V and A distribute over 

——— ———— 


m occurrences n occurrences 
each other and © distributes over V. 


Unlike the Boolean MaxSAT problem over the two-element Boolean algebra, 
here we work with arbitrary formulas of C(L). We formulate both the optimiza- 
tion and the decision version of the MaxSAT problem. 


MaxSAT-OPT 

Instance: multiset (q1,..., Ym) of formulas of £(L) in variables (21,..., 4). 
Output: the maximum integer k < m such that there is an assignment v to 
(21,..., Zn} that satisfies at least k formulas in the multiset (w1,..., Ym). 


MaxS AT-DEC 

Instance: multiset (~1,...,Qm) of formulas of £(L) in variables (2z1,..., £n} 
and a positive integer k < m. 

Output: (Boolean) Is MaxSAT-OPT((qi,..., qm) (x1;..., $4)) at least k? 


Let A be an integer m x n matrix. Let x be an n-vector of variables and b be 
an integer m-vector. The solvability of the system of inequalities Ax <b 
in R can be tested in polynomial time [28]. 

More generally, for the system Ax < b, one can ask about the maximal size 
(number of lines) of a subsystem that is solvable in R. This problem is known 
as the maximum feasible subsystem |4| of a system of linear constraints: the 
solution is a natural number k bounded by m (the total number of lines in the 
system). This problem is NP-hard. We shall refer to this problem as Max-FS 
problem. Notice that the system is not defined as a set, so the same constraint 
may appear multiple times. 

There are many variants of the Max-FS problem, indeed many were already 
suggested in the paper [4]. We will use a variant that partitions the linear con- 
straints into two groups: those that need to be satisfied by any feasible solution 
(often called hard constraints; the paper [4] refers to them as “mandatory”) and 
those the satisfied number of which is to be maximized (often called soft con- 
straints; [4] refers to them as optional") over all feasible solutions. This variant 
of Max-FS problem will be called Max-FS with hard and soft constraints 
within this paper. 
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3 Canonical Method 


First we give a polynomial-time, many-one (a.k.a. Karp) reduction of MaxSAT- 
DEC to SAT. Our reduction is similar to those used in [25] (which, in turn, 
refers to [22]) and in [15]. The differences arise from the fact that, in our case, an 
unsatisfied formula can take any value below 1 (but not necessarily 0), and this 
needs to be addressed in the definition of the set of formulas in the reduction. 

Let (q1,..., Qm) (21,..., £n) and k € m be an instance of MaxSAT-DEC. 
It is well known that one can implicitly define any rational value in [0, 1]z, with 
a formula of £(L): an early example of suitable formulas can be found in [30]. 
Let k > 2 and y be a new variable, not among (z1,...,2,), and let 


Pie = yor(k—1)y) 


Then we have that p;/; implicitly defines the rational value 1/k in [0, 1]r, 
(see, e.g., [25, Lemma 2]): that is, an assignment v in [0,1]; sends p;; to 1 if 
and only if it sends y to 1/k. Moreover, the length of this formula is linear in 
k < m, therefore linear in the size of the instance on input. 

For 1 € i < m, consider a new variable y; k, let 9, ;, be the set of formulas 


{ (yi e kk) V Yik » (Yik oy) V Yik } 
and let Py be the list of formulas Ur<icm{2 ik} 


Theorem 1. The pair (q1,..., qm )(21,..., £n) and k with 2 € k € m belongs 
to MaxSAT-DEC if and only if the set (p1j,) U Pk U (QD; Yik} belongs to 
SAT. 


Proof. For the left-to-right direction, assume v to be an assignment satisfying— 
without loss of generality—the first k formulas of the list. Consider then the 


assignment v’ that coincides with v on the variables z1,...,x, and puts v'(y) = 
1/k and 
yi x) l/k ifi<k 
U ; = 
diu 0 otherwise. 
The assignment v’ clearly satisfies p,/;,. Next, since v'(y1 k) = ... = v'(Yk,k) = 


1/k, also v'(Q; , Yik) = 1. Lastly, the formulas in y are satisfied under v": 
the formulas (yix — y) V `y; are trivially satisfied, since each y; is indeed 
sent to either 1/k (and hence, v'(y)) or to 0. For the other formulas in 9, first 
u'(y;) = 1 and kv'(yjk) = kl/k = 1 for each 1 € j < k, and v'(-y;,) = 1 for 
k < j < m, hence they are all satisfied. 

For the right-to-left direction, let v be an assignment satisfying {p1/k} U Pk U 
(Qi Yik}. From Py and pij; we know v(yi,;) is either 1/k or 0. Therefore, for 
v(CQ;-, Yik) = 1, necessarily at least k many y-variables are evaluated to 1/k. 
Assume, again without loss of generality, that u(y1,) = ... = v(Yk,k) = 1/k. 
From p, we get that v((p; — kyik) V Yik) = 1 for each 1 € i € m. In 
particular, since v(-y;,,) Æ 1 for every 1 € j € k, necessarily v((y; = kyjx)) 
for each such j. Together with the previously observed fact that yj, = 1/k for 
each such j, this implies that v(q1) = ... = v(yr) = 1, concluding the proof. 
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For k = 1, it is immediate that (y1,...,~m) and k is in MaxSAT-DEC if and 
only if (... (p1 V p2) V ...) V m is in SAT. Given that for m = k = 1 both 
problems coincide, we get: 


Corollary 1. The problem MaxSAT-DEC is NP-complete. 


This reduction from MaxSAT-DEC to SAT provides a practical approach 
to the MaxSAT problem in [0, 1], provided that we use a competitive algorithm 
for solving SAT (i.e., the satisfiability problem in [0, 1]z,). We could rely on either 
of the following two SAT solvers, which have been shown rather efficient. The 
first one is the tableau with constraints method proposed by Hähnle [12] that 
reduces SAT to Mixed Integer Programming (MIP) and can therefore use any 
available MIP solver. The second one is the Satisfiability Modulo Theory (SMT) 
methods proposed by Ansótegui et al. that reduces SAT to an SMT satisfiability 
problem and can use any available SMT solver [6, 7,32]. These methods can take 
advantage of the latest developments and innovations in MIP and SMT solvers, 
avoiding the need to implement a SAT solver from scratch. 

A polynomial-time Turing (a.k.a. Cook) reduction of MaxSAT-OPT to 
MaxSAT-DEC can be given, as we proceed to explain. It is this approach that 
prompts our referring to this method of solving MaxSAT-OPT as canonical, 
given its wide scope of applicability to optimization problems (see, e.g., [29]). 
The reduction uses an unspecified algorithm for MaxSAT-DEC as an oracle; 
as usual with oracle computations, any call to the oracle counts as one step in 
the computation and under this proviso, the oracle computation runs in time 
polynomial in the input size ( £7", |y;|). Indeed, given an instance (~1,..., Ym), it 
is easy to arrive at the optimal value for MaxS AT-OPT using binary search on 
the discrete, polynomial-size search space {1,..., m} of possible solutions, using 
at most [log m] oracle calls. Considering that MaxSAT-DEC is NP-complete 
by Corollary 1, we have the following: 


Corollary 2. MaxSAT-OPT is in FPNP. 


For this conclusion, it is not important that the oracle solves MaxSAT- 
DEC; any oracle solving an NP-complete problem (an INP-oracle) would suit, 
and indeed one can use any algorithm for SAT, relying on Theorem 1. In view of 
the obvious reduction from MaxSAT-DEC to MaxSAT-OPT, the two prob- 
lems are equivalent in the sense that if either has a polynomial-time algorithm, 
so does the other. This is standard, and it is why the decision version of an 
optimization problem is often considered in lieu of the problem as such. 

Can one do better than O(log m) oracle calls? Below, we provide a classifi- 
cation of the problem in terms of Krentel's work [17] that suggests a negative 
answer subject to P Z NP. Krentel ranks optimization problems in FPN? 
in terms of the number of calls to an NP-oracle. For z : IN — IN a smooth 
function (ie., z is non-decreasing and polynomialtime computable in unary 
representation), FPN? [z(n)] is the class of functions computable in polynomial 
time with an NP oracle with at most z(x|) oracle calls for instance x, where |x| 
denotes the length of x. By definition, FP“? coincides with FPN? [n°] since 
a polynomial-time algorithm can make no more than a polynomial amount of 
oracle calls. 
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For X a finite alphabet let f, g : X* — IN. A metric reduction |17] from f to g 
is a pair (hi, h2) of polynomial-time computable functions where hı : X* — X* 
and hg : X* x IN — N such that f(x) = ha(x,g(hi(x))) for all x € X*. The 
notion of a metric reduction is a natural generalization of polynomial-time many- 
one reduction to optimization problems. It follows from the definition that for 
each smooth function z as above, FPN? [z(n)] is closed under metric reductions. 


Theorem 2. ( [17], see also [29]) Assume P 4 NP. 
Then FPN? [O(log log n)] c FPN? [O(log n)] c FPN? [n°]. 


Recall that Boolean algebras form a subvariety of MV-algebras. In particular, 
in any Boolean algebra, the interpretations of the strong and the weak disjunc- 
tion coincide, as do the interpretations of the strong conjunction and the weak 
conjunction. When mapping the Boolean connectives to the £(L) connectives, 
we take ^ for the Boolean negation, V for the Boolean disjunction, and © as the 
Boolean conjunction. 

Moreover, in every nontrivial MV-algebra A, the set consisting of its bottom 
element 0^ and its top element 1^ is closed under all operations of A and the 
subalgebra of .A on the universe consisting of these two elements is isomorphic 
to the two-element Boolean algebra. 

Now let us recall the MaxSAT problem in the two-element Boolean algebra 
for CNF formulas, given as multisets of clauses. 


Classical-MaxSAT-OPT 

Instance: multiset (C;,..., Cm) of Boolean clauses in variables ([2,...,24]. 
Output: the maximum integer k < m such that there is an assignment v in the 
two-element Boolean algebra on (0,1) to (z1,..., £n} that satisfies at least k 
clauses. 


Krentel [17] proves the following result: Classical-MaxS AT-OPT is complete 
for FPN? [O(log m)] under metric reductions. 

We now prepare a few technical tools for eventually giving a metric reduc- 
tion of Classical- MaxSAT-OPT to MaxSAT-OPT. Following [16, Def. 7.1], 
consider the language £(L) including the definable connectives and define: 


(i) a literal is a variable (such as x) or a negation thereof (such as ^x). 
(ii) A (©, V)-formula is built up from literals using arbitrary combination of © 
and V. 
(iii) In particular, a clause is built up from literals using only V. 


Lemma 1. ([16, Thm. 7.4]) 


— The interpretation of any (©, V)-formula with n variables in [0, 1]z, is a conver 
function in [0, 1]^ ; 

- any (O, V)-formula (in particular, any clause) is satisfiable in [0,1]; if and 
only if it is satisfiable in the two-element Boolean algebra {0,1}. 
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Lemma 2. Let Ci,...,C; be clauses in C(L) in variables (1,..., £n}. Assume 
a € [0, 1]|" is such that C;(a) = 1 for each 1 < i < l. Then there is an element 
b € (0, 1" such that C;(b) 21 fori <i<l. 


Proof. We construct b from à in n independent steps. Let b, :— à. The j-th 
step takes a b; , assuming the property that C; (bj) = = 1 fo each 1 <i € l, 
and produces ae with the same property, replacing the real value in the 74h 
coordinate of b; with a Boolean value (i.e., either a 0 or a 1). Lastly, we set 
b := bu: all coordinates of b are Boolean. 

We describe the j-th step. We simplify notation by writing b for bj. We 
thus have b! = (b/,,...,/,). Consider the j-th component of this vector: if b, is 
0 or 1, we set bj41 = bj , whereby the step is finished. If 0 < b < define 
a rer MONET and Dj = (bhs, bh i 1, brio ue By 
assumption, we have C1(b') = 1. From Lemma 1, the interpretation of C is a 
convex function. Now assume that either C;(b5) 4 1 or C1(b4) Æ 1. Then there 
is a convex combination of C,(b)) and Ci(b,) that is strictly below C1(b'), a 
contradiction with the convexity fact. We conclude that C1(bj) = C1(b,) = 1. An 
analogous argument holds for the remaining clauses C5, ..., Cj. This means that 
we can set either bj41 :— bh or b; 41 :— b} and we will fadebd have C;(bj41) = 1 
for each 1 € à € I. 


Theorem 3. MaxSAT-OPT is complete for FPN? [O(log m)| under metric 
reductions. 


Proof. Containment was obtained in Corollary 2 and the discussion preceding it. 
We prove hardness. We claim that the metric reduction of Classical-MaxS AT- 
OPT to MaxSAT-OPT is provided by a pair of identity functions. Take an 
arbitrary instance of Classical-MaxSAT-OPT problem, namely a multiset 


(C1,..., C.) of Boolean clauses in variables [z1,...,r4), and interpret it as 
a multiset of clauses in £(L) (no change in notation is needed, see above). By 
Lemma 1, the interpretation of each C; for i = 1,...,m in [0, 1]z is a convex 


function. The convexity of the interpretation is not violated by rewriting each 
C; in the basic connectives of £(L); this yields formulas (CT,...,C7,). Feed 
this m-tuple to the algorithm solving MaxSAT-OPT. The output is a natural 
number k < m which indicates the maximal number among (CT,..., C7.) that 
are simultaneously satisfiable by an assignment in [0, 1]. We assume without loss 
of generality that the first k formulas in the list are satisfied by some assignment; 
hence so are the first k among (C4,...,C4,). By Lemma 2, the same clauses 
(hence, the same number of clauses) are also simultaneously satisfiable by a 
Boolean assignment. This gives a lower bound on the number of simultaneously 
satisfiable clauses among (C1,..., C4) in {0,1}. At the same time, the two- 
element Boolean algebra is a subalgebra of [0, 1], so any assignment in {0,1}” 
is also an assignment in [0, 1]": therefore, considering that k was the answer of the 
algorithm solving MaxS AT-OPT, no more than k clauses among (C1,..., Cm) 
can be simultaneously satisfiable in {0,1}, because otherwise k would not be 
optimal for MaxSAT-OPT. Therefore k is the optimal value. 
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The binary search algorithm always makes a logarithmic number of oracle 
calls, no matter what the instance is. Also, the complexity analysis as given does 
not take into account the efficiency of the computations executed by the oracle; 
all that is known about the oracle is that it correctly decides a particular NP- 
complete problem. Considering the experience obtained in Boolean MaxSAT 
solvers based on Boolean SAT solvers, there might be alternatives to binary 
search that might turn out to be more efficient in practice, where one departs 
from the paradigm that emphasizes worst-case complexity. A typical Boolean 
MaxSAT solver does a linear search, either from unsatisfiable to satisfiable (core- 
guided approach), or from satisfiable to unsatisfiable (model-guided approach) 
[8,18]. The solvers heavily exploit the fact that the formulas in the multiset 
are Boolean clauses (i.e., a normal form is assumed) and that a SAT solver also 
returns a satisfying assignment or an unsatisfiable core; moreover, the calls to the 
SAT solver need not be its independent runs. These parallels invite an openness 
of mind when implementing MaxSAT solvers for Lukasiewicz logic. 


4 "Tableau-Like Method 


4.1 Satisfiability 


We give first a decision method for the SAT problem, combining several 
approaches that might be termed analytic. SAT and its complexity have been 
investigated in depth [1,2,6,7,9,12,14,16,21,23,26]. In particular, tableau cal- 
culi have been proposed in [12,24]. Presenting our decision method for SAT has 
several goals. It outlines our approach to a simpler problem than MaxSAT- 
OPT, to be modified in Subsect. 4.2. Our method for SAT can then be used as 
a lower bound on the complexity of the method for MaxSAT-OPT in Subsect. 
4.2. Furthermore, the method, in its variant generating a tree with an exponen- 
tial number of branches, provides a simple proof for SAT in NP and an upper 
bound on the runtime of a deterministic algorithm for SAT. 

'The method operates in two subsequent stages. The first one is a variant of 
Tseitin transformation of an arbitrary formula to a formula in normal form [31]; 
in classical logic, the target normal form is a CNF, while in our case, the target 
normal form is a system of equations in the language £(L). The transformation 
preserves satisfiability, involves only a polynomial increase in size, and adds new 
variables. A variant of the transformation was used for testing SAT in [9]. 

Let ||y|| denote the number of pairwise distinct subformulas in y.” Recall at 
this point the formula p,/;, from Sect. 3 and its subformula (k— 1)y. If brackets in 
this subformula nest to the right (or to the left), then ||(k — 1)y|| is proportional 
to |(k—1)y|. But if (kK—1)y is bracketed as a balanced binary tree, then ||(k—1)y|| 
is proportional to log,(|(k — 1)y|). 


? (p is viewed as a string, any subformula is a substring, and subformulas are the same 
if and only if the strings are. Thus x © (x 9 x) is distinct from (xr 9 x) @ x. Per 
convention ^-—w does not occur as subformula for any «j, since ^w — w in È. 


394 Z. Hanikova et al. 


The second stage is a tableau-like procedure that utilizes the system of equa- 
tions obtained in the first stage as labels for nodes in a rooted linear tree, and 
expands the nodes using simple rules that translate these equations of Z(L) into 
linear equations in the reals. Subsequently, each branch is evaluated for solvabil- 
ity in the reals, analogously to [12,24]. 

The algorithm for SAT is given below. The presentation is informal. 


Decision method TLs4r. Let o(z,..., £n) be an input formula. 


1. List subformulas. Let L be the list of all pairwise distinct subformulas 
occurring in o, including ¢ and all its variables. Let / be the number of items 
in L. If y does not contain any double negations, we have | = ||y||. We assume 
that if o is a subformula of 8, then a occurs before 8 in L. 

2. Name subformulas. Introduce new pairwise distinct variables z; for the i-th 
formula in L with 1 € i € l. These will be called “z-variables”. It is assumed 
that the z variables are also distinct from each x; for 1 < j < n.’ 

3. Equations on names. Let S be the list of equations in the language {=, 8} 
obtained by initializing S as empty and taking the following step for each 
item in the list L: 

— if x is a propositional variable in and 1 < i < l and z; is the variable 
for x, include in S the equation 
T = Zi; 
— if ~a is a subformula of y and 1 < i,j < l and z; is the variable for a 
and z; is the variable for ^o, include in S the equation 
Zj — ži; 
— if a@ B is a subformula of v and 1 < i,j,k < l and zi, Zj, zy are the 
variables for a, 3, a ® B respectively, include in S the equation 
Zi Ð Zj = Zk. 
Having each item of L processed, S contains equations in the language £(L). 
The number of equations in S is l. 

4. Initialize tree. Initialize a rooted tree T, linear at this stage, with | nodes. 
From the root down, label each node of T with one equations from S. Start 
with equations containing the x-variables and mark them final. Then process 
those containing ^ and subsequently those containing ® and mark each as 
active.* 

5. Boundary constraints. Append before the root 2l new nodes labelled 0 < 
zi <1 for each i = 1,...,l. Mark each as final. 

6. Target constraint. Append as new root of the tree a node labelled z; = 1 
for zı the variable introduced for y. (By convention taken in step 1, z is 
assigned to y.) Mark final. 


3 This is a convention in favour of clarity of presentation. Avoiding introduction of 
new variables for atoms z1,...,24 would save n new variables. 

^ The structure of T will be linear up to a certain point and binary from there on. 
This is the case because a) the equations with the x-variables are not expanded, and 
b) all the equations with — are expanded before any of the equations with &, and 
the expansion rule for ^ does not lead to branching. Cf. Example 1. 
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7. Expand tree. From the root of T towards the leaves, process each node N: 

— If the label of N is marked final (i.e, does not contain ^ or 8), leave it 
intact and proceed to the next node. 

— If the label of N is marked active (contains ^ or ®), mark it passive, and 
below each leaf of T, append a new subtree with labelled nodes using the 
following expansion rules (one new node per each constraint), marking 
each new label final: 

Zi Ð Zj = Zk Zi = Zj 
Zi + Zj = Zk zy —1 
An application of the rule on the left involves branching below each leaf 
of T. The labels in the conclusions of these rules are linear constraints in 
real numbers. The mark final indicates the algorithm leaves them intact. 
Having processed all nodes of T, each branch of T defines a system of linear 
constraints marked final in an unambiguous way. 

8. Solve systems. From the leftmost branch to the right, test the system of 
constraints on the branch for solvability in IR? until a branch is found whose 
system of constraints is solvable. In such a case, return *yes? and exit. 

9. Default. Return ‘no’ and exit. 


Typically in an analytic tableau method (cf. eg. Háhnle [12]), one starts with a 
given formula y and decomposes it, taking one occurrence of a connective in each 
step and expanding the tableau using the given tableau rules. If a subformula of 
y occurs multiple times in y, it is processed multiple times and each time, new 
variables are introduced with it: cf. e.g. [12, section 5.1] where new variables i; 
and ig are introduced for each occurrence of an implication. This is a feature of 
the analytic method. With creating the set of subformulas first, we avoid this 
and have potentially less new variables. (Cf. also the introduction in [24], where 
our method might therefore not qualify as purely analytic.) 


Example 1. A simple example will illustrate the generation of the tree and the 
resulting systems of constraints. Consider the formula ((x & ^y) $ ^(x @ y)) 4 
“(2 ® y). A list of its subformulas is the following: 


(v, y, ^y, xy, LOY, (xy), (xy) (x), ((x y) -(xev))e-(rev)) 


In order to present the example in a compact way, we write three initial nodes 
only: the first, with the boundary, target and ground equations; the second, with 
the equations from S with symbol ~, and the third, with the equations from S 
with symbol &. Below this, we expand the tree as described by the algorithm. 
We omit marks (active, passive, final). We use vertical dots to indicate the tree 
that would be included in their place is a copy of the one depicted at its side. 


5 The testing procedure is in P. For the purpose of testing, one can render each equality 
ax = b as two inequalities ax < b and —ax < —b. 
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zg =1,{0< z; <lhicicg, 21 = 2,22 =Y 
| 
£g = 144, 73 = 22, 
Zg = 27 D Z6, 27 = Z5 ® Z6, 25 = 21 D 23, 24 = 21 p 22 


zę = l — 2,23 = 1 — z2 


zg=z7 +26 Zg " 
27 +2651 zz +z 21 
27 = 25 + Z6 im 
z5 2g <1 z5 2921 
a ee ' 
Z5 = 2% + 23 Z5 = 1 
-— PEPE 
E B M c 
Z4 = Z1 22 24—1 Z4 = 21 + 229 z4—1 


| | | | 
Zyt 22 <1 z+z21 z+z<1 atw221 


Lemma 3. The expansion rules in step 7 of Thgar preserve the following 
invariant: for any assignment v of values in [0,1] to all z-variables, v satis- 
fies the equation in the premise in the algebra (0, 1], if and only if v satisfies all 
constraints in at least one branch in the conclusions of the rule in the algebra R. 


Proof. Notice that the expansion rules work as a switch between the signature 
of £(L) and language of real closed fields. (Where by slight abuse of language, 
we only differentiate between the two sets of the operation symbols, but not the 
relation symbols.) In both cases the statement is a straightforward consequence 
of the semantics of the connectives ^ and © in [0, 1]z.. We prove the case for ©. 
Top-to-bottom: let v be an assignment of values in [0, 1] to z-variables introduced 
in step 2, and consider z;,z;,zy S-t. v(z;i) G v(zj) = v(zy) is true in [0, 1]. Then 
it must be the case that either v(z;)4-v(z;) € 1 and v(z;)--v(z;) = v(zi) holds in 
R, or v(z;) -- v(z;) 2 1 in which case we also have v(z,) = 1 in R. Bottom to top: 
again let v be an assignment of values in [0, 1] to z-variables. If v(z;) + v(z;) € 1 
and v(z;) + v(z;) = v(zx) both hold in R, we have v(z;) © v(z;) = v(zx) is true 
in (0, Ip. If v(z;) + v(z;) > 1 and v(z,) = 1 in R, we have v(z;) B v(z;) = v(zx) 
is true in [0, 1]z.. This exhausts possible cases. 


Theorem 4. The method Thgar is sound and complete for SAT. 


Proof. The soundness claim states that whenever the method answers ‘yes’ 
on input y, then there is an assignment v to z1,...,25 such that u(y) = 1. 
So assume that there is a branch B of T such that the system of constraints 


The MaxSAT Problem in the Real-Valued MV-Algebra 397 


given by B is solvable, under some assignment v to variables on B, and fix v. In 
particular, for i = 1,...,n, the variable x; gets value v(z;) (notice each x; occurs 
on every branch). The assignment v extends to y in a unique way and one shows 
by induction on the structure of y, using Lemma 3, that for any subformula v» of 
yp, we have v(i) = v(z5) for z; with j € {1,...,1} being the z-variable assigned 
to w in step 2. In particular, v(q) = 1. 

The completeness claim states that if u(y) = 1 for some assignment v, 
then the method yields ‘yes’ on input y. So fix v s.t. u(y) = 1. We claim there 
is a branch of T with a solvable system of equations. First produce the full tree 
T. Then assign values to all z-variables, starting from those that are names for 
X1,-.-,Xn, and then inductively on the structure of y using again that v() = 
u(z;) for a zj assigned to ~ in step 2. This is consistent with equations obtained 
in step 3. By abuse of language, call this assignment v. The assignment v makes it 
possible to travel downward from the root of T via labelled nodes, using Lemma 
3 to show that v satisfies each label: in particular if T branches due to a node 
with label z; 6 zj = z;, then (assuming the label in the premise is satisfied by 
v), Lemma 3 guarantees that there is at least one branch on which the new (and 
hence, all) labels are satisfied by v. Finally a leaf L of T is reached: since Lemma 
3 was applied at each expansion, and since the boundary and the final constraint 
clearly hold under v, all final constraints on the branch determined by L hold 
under v. 


Lemma 4. The problem SAT on instance p can be solved deterministically by 
constructing the tree T and testing the solvability of systems of linear constraints 
in R on no more than 2!'*!! branches. Each branch has at most 4||y|| +1 con- 
straints and ||p|| +n variables. 


Proof. Branching of the tree takes place at each occurrence of © in S; the num- 
ber of such occurrences is bounded by |||]. Each branch has at most 2||y|| 
constraints for subformulas, plus 2||y|| boundary constraints, plus a target con- 
straint. (Here we do not consider the possibility of replacing each equation with 
two inequalities.) Each branch of the tree uses all the variables: n input variables 
21,...,2$ and ||y|| z-variables. 


Corollary 3. The problem SAT is in NP, in particular, a formula is satisfiable 
if and only if there is a polynomial-size witness consisting of a tableau branch of 
the method Thgar and matching system of constraints solvable in IR. 


Proof. Since the method TŁsar is sound and complete for SAT by Theorem 4, 
any satisfiable formula has the following polynomial-size certificate of its own 
satisfiability in [0,1]: the system of equations in z-variables constructed in step 
3, and a branch of the tree T, defined by a list of instructions specifying which 
branch to take upon each application of 6-rule, combined with a system C of 
constraints that matches the indicated branchings (in the sense that the equa- 
tions with & have been expanded according to the specified branch) and such 
that C is solvable in IR. On the other hand, the soundness and completeness 
theorem also says that an unsatisfiable formula cannot have such a certificate. 
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Furthermore, any decision tree obtained from the above procedure can be 
linearized, using the methods of [12]. In particular, any instance of the applica- 
tion of the branching rule introduced in step 7 can be replaced by an instance 
of an application of the following lemma (observing the condition that distinct 
Boolean variables will be used for distinct instances): 


Lemma 5. (Cf. [12, Sect. 5.1], [13, Lemma 6.2.19]) Assume a1, a2,a3 € [0,1]. 
Then a, ® a3 = aa holds in [0,1]; if and only if there is an y € {0,1} such that 
all of the following constraints hold in IR: 


(i) ay cag X1 y (iv) ay tay < as +y 
(ii) y < a1 +a (v) y € as. 
(iii) a3 <a, d à» 


Proof. Assume a; © a2 = aa holds in [0,1]. Case 1: a1 + a2 € 1, then from 
the assumption we have a; + a2 = aa. We set y = 0. The fact that a1,a2,a3 € 
[0,1] implies (ii) and (v); the remaining constraints in the Lemma follow from 
a, - a9 = ag. Case 2: aj + ag > 1. The assumption implies a3 = 1; we set y :— 1, 
we get (v). The fact that a1,a2,a3 € [0, 1] implies (i) and (iv). From a1 4- a > 1 
we get (ii) and (iii). 

Now assume there is an y € {0,1} such that all constraints listed hold in R. 
Case 1: y = 0. We have (i) a1 + a» € 1 and (iiiv) a3 < a1 + a2 < aa. Hence 
a1 ® a2 = aa. Case 2: y = 1. We have (v) 1 € aa and (ii) 1 € ai + ag. Hence 
Q1 D Q5 = Q3. 


'This modification eventually yields, in step 8, a single MIP problem — one of 
the extant competitive ways to address the SAT problem. A major advantage of 
using a MIP solver is the advanced possibility of applying heuristics, whereas in 
the simple version above, the only optimization considered is aborting the com- 
putation upon finding a branch with a solvable system. That is: by design, the 
algorithm Thsar needs to generate and perhaps eventually test exponentially 
many systems of equations. However, from the viewpoint of the worst-case deter- 
ministic complexity, the MIP method does not differ substantially from testing 
the (possibly exponentially many) branches. 


4.2 Maximum Satisfiability 


In this Subsection we adapt the previous method to the MaxSAT-OPT prob- 
lem from Sect. 2. It is easily observed that usual methods for SAT, the method 
from the previous Subsection among them (even if it easily adapts to test joint 
satisfiability of a list of formulas), are not applicable for MaxS AT-OPTT; cf. [19] 
for a discussion. One problem is that they yield a Boolean value. Taking any sat- 
isfiable formula a and considering the m-element list (o, ..., 0), for any m > 1, 


$ One might optimize by testing immediately on every generated branch and exiting 
the computation upon finding one with a solvable system. In our exposition though, 
we prefer to consider the size of the full decision tree. 
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clearly a complete method needs to produce the answer m on this input. The 
tableau approaches of [12,24] uses MIP solvers on branches, also returning a 
Boolean value. Another feature of the method from the previous Subsection is 
that it considers distinct subformulas as a set; thus any repetition of the same 
formula in the list on input would be obliterated. 

These considerations invite the approach of preserving the Tseitin-like proce- 
dure of listing equations obtained from the subformulas, but combining it with: 


— updating the target constraint for a multiset of formulas on input, and 
— updating the query about the system of constraints obtained on each branch. 


The following algorithm updates the decision method Thgar from the Sub- 
sect. 4.1. To highlight the differences, each step only gives the information that 
has changed compared to the previous case. 


Optimization method TŁmaxsar for computing MaxSAT-OPT. 
Let (q1,...,«) be a list of formulas in variables 21,..., £n. 


1. List subformulas. Let L be the list of all pairwise distinct subformulas 
occurring in q1,..., Ym, including each formula q1,...,q; with 1 € i € m 
and all variables z1,...,x4. Let l be the number of items in L. Conventions 
as in step 1 of Thgar. 

Name subformulas. As before. 

Equations on names. As before. 

Initialize tree. As before. 

Boundary constraints. As before. 

Mark hard constraints. For each node in T up to this point, mark all 
constraints as hard constraints. 

7. Target constraints. Append before the root of T a new chain with labels 


Soe rtm 


Zj, 2 1 for zj, the variable introduced for yj, with i = 1,...,m, preserv- 
ing the multiplicity of p; in the input list. Mark these constraints as soft 
constraints. 


8. Expand tree. As before, preserving in the expansion that a hard constraint 
produces hard constraints. 

9. Solve systems. From the leftmost branch to the right, taking one branch at 
a time. Each branch defines, via the final label, a system of linear constraints 
in IR, with the target constraints from step 7 marked soft and all other con- 
straints marked hard. Thus each branch defines an instance of the Max-FS 
problem with hard and soft constraints. Obtain the solution (i.e., a natural 
number, possibly 0) to the instance on each branch." 

10. Maximize. Return the maximum of satisfied soft constraints among the 
constraint systems over all the branches, and exit. 


T Since all equalities are marked hard, any feasible solution to the Max-FS task will 
need to satisfy all of them. More generally, see [5, Concluding remarks] for handling 
soft constraints that are equalities. 
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Example 2. Let us consider the list of formulas ((x & ^y) 6 =x, =x, £ 9 =y, £). 
A list of its subformulas (according to the definition in step 1) is the following: 


(2, Y, x, TY, £ O =Y, (x f y) i x) 


In order to depict the example in a compact way we use the same conventions 


as in Example 1. Furthermore, we will print in bold the soft constraints. 
Ze = 1,23 = 1,25 = 1,2, = L (0 < z; € 1]i«co 


23 = 21,24 = 122 


Z5 = Zi D 24, Z6 = Z5 D Z3 


z3 = 1 — z1 

z4 =l- 29 
w fg T 
-— mm 


Z5 z3 Sl z5-c23 21 2zgdcbz3 Sl 2+2321x 


Theorem 5. The method Thmaxsat is sound and complete for MaxSAT- 
OPT. 


Proof. The soundness claim states that whenever the method returns k € IN 
on input (q1,..., m), then there is an assignment v to variables z1,..., £n that 
satisfies k formulas among (q,...,q;). If TEmaxsar returns k, that means the 
tree T was constructed with a branch B and a system of constraints given by B 
that yielded k upon solving the Max-FS problem with hard and soft constraints, 
and that this was the maximum solution among all branches. Fix such a v and 
notice that v defines values for z1,..., £n. Using Lemma 3, all hard constraints 
from the system, in particular, all constraints from steps 3, 5 and 8 are satisfied 
by v, and so are k of the target constraints. If Y is a subformula of some y; with 
i € {1,...,m}, we have v(v) = v(z;) whenever zj is the z-variable assigned to 
w, by induction. In particular, from step 7 we have that there are k formulas qj 
among (q1,..., Pm) such that v(o;) = 1. 

The completeness claim states that if, for some assignment v, there are k 
items y; on the list (y1,..., Ym) such that v(v;) = 1, then the method TEmMaxsAT 
yields at least k on that instance. So assume that v(u;) = 1 for at least k such 
items and fix v. We claim there is a branch B of T with a system of constraints 
that yields at least k upon solving its instance of Max-FS problem. First con- 
struct the tree T. From v, we get values for £1,..., £n, the z-variables that are 
their names, and using equations from step 3 for the remaining z-variables. The 
assignment v indicates a leaf of T that defines a branch B via a series of (possibly 
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non-unique) choices on the hard constraints. If q is a subformula of some y; with 
i € (1,..., m], also v(v) = v(z;) whenever zj is the z-variable assigned to v, all 
the hard constraints and at least k soft constraints are satisfied on B under v. 
Since k formulas on input are satisfied by v, also k soft constraints are satisfied. 
Thus the method Thyaxsat, which returns a maximum over all branches, will 
yield a value no less than k. 


To put side by side the efficiency of the method TEsAT from Subsect. 4.1 
with the method Thyaxsar above, we assume a modification of Thgar that 
takes as input a finite list of arbitrary formulas (y1,...,~m) and tests their 
joint satisfiability. Then we obtain comparable trees from both methods, the 
main difference being in the target constraints. Each branch of the tree obtained 
from Thgar defines a set of constraints the solvability of which is in P. It is 
typically not necessary to test solvability on all the branches. On the other 
hand, if (q1,..., 5) is an input to Timaxgar, then on each branch of the 
generated tree, it is indeed necessary to solve the Max-FS problem with hard 
and soft constraints that the branch defines, because the method eventually 
takes a maximum over all the branches. Moreover, the problem on each branch 
is NP-hard [4]. In this sense, the complexity of the method Thgar is a lower 
bound on the complexity of the method TEmaxsar as presented above. 

One can conceive optimizing the method TEmaxsar by observing that, firstly, 
the multiset of soft constraints remains the same over all the branches, and 
secondly, if any subset S" of a set S of hard constraints is unsolvable, then so is 
S. We refrain from pursuing these considerations here, since they are addressed 
by the methods used in MIP solvers. The following lemma comes in useful. 


Lemma 6. The tree obtained from the 'TLwaxsAmv method can be linearized at 
the cost of adding at most ||y|| Boolean variables. The linearization method does 
not affect the soft constraints. 


Proof. Any branching in step 8 of the algorithm can be replaced by expanding 
the tree with new nodes (without branching) using Lemma 5. The constraints 
obtained from the Lemma are all marked hard. This step therefore does not 
impact the set of possible solutions to the hard constraints in the system. The 
soft constraints are the same on all the branches, therefore the soft constraints 
in the linearization are well defined. 


An extension of the Max-FS problem with Boolean variables among the set 
of hard constraints can also be rendered as a MIP problem with hard and soft 
constraints, with the Boolean variables not occurring in the soft constraints. 
Section3 gives as benchmark for MaxSAT-OPT log m calls to a MIP solver 
for SAT with inputs of size O( X" |v;| + m?). 


5 Concluding Remarks and Future Work 


Envisaged work on this material will consider finite-valued reductions of the 
SAT problem via upper bounds on denominators [1-3] to obtain a comparison 
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with variants of Thgar for deterministic worst-case complexity for arbitrary 
formulas. Also, it remains to be seen whether upper bounds on denominators (a 
“small-model theorem", cf., e.g., [11]) can be used to classify the decision version 
of the above Max-FS problem with Boolean variables among its hard constraints 
within FPN? for a conclusive comparison with the canonical approach. Another 
line of possible work stems from a generalized notion of satisfiability, considering, 
instead of the MaxSAT family of problems, their MaxSAT,, version, for a rational 
r € (0, 1], asking for the maximum number of formulas that are assigned a value 
greater than or equal to r by a single assignment. 
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Abstract. The standard semantics of separation logic is restricted to 
finite heaps. This restriction already gives rise to a logic which does 
not satisfy compactness, hence it does not allow for an effective, sound 
and complete axiomatization. In this paper we therefore study both the 
general model theory and proof theory of the separation logic of finite and 
infinite heaps over arbitrary (first-order) models. We show that we can 
express in the resulting logic finiteness of the models and the existence of 
both countably infinite and uncountable models. We further show that a 
sound and complete sequent calculus still can be obtained by restricting 
the second-order quantification over heaps to first-order definable heaps. 


1 Introduction 


Separation logic [Rey02], in the sequel also referred to by SL, extends first- 
order logic with the separating connectives of conjunction and implication for 
reasoning about programs which feature the dynamic allocation of variables 
that are stored at locations of that part of the memory called the ‘heap’. The 
separating conjunction allows to specify properties of a partition of the heap 
into two disjoint sub-heaps. The separating implication (also called ‘the magic 
wand’) allows to express properties of disjoint extensions of the heap. Both 
separating connectives involve a second-order quantification over heaps (which 
are represented by binary relations). 

In this paper we study both the model theory and the proof theory of SL. 
The standard model of SL (as introduced in [Rey02]) extends the standard model 
of arithmetic with the so-called ‘points-to’ relation which provides a formaliza- 
tion of the heap in terms of the graph of a finitely-based partial function. This 
function assigns to each location of the heap its stored value, or is undefined if 
the location is not allocated. In the standard semantics of SL (here also called 
weak SL), the domains of heaps are finite, that is, only finitely many locations 
are allocated. Reasoning about finite heaps however requires an infinitary logic 
because the logic of finite heaps, and that of finite model theory in general, does 
not satisfy the compactness property: it is straightforward to express for each 
natural number that the domain of the heap contains at least that number of 
© The Author(s) 2023 
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elements. It follows that every finite subset of this infinite set of sentences is 
satisfiable, but clearly no finite heap satisfies the entire set. 

To study the general model and proof theory of full SL! we (1) extend its seman- 
tics to arbitrary first-order models and (2) generalize the notion of a heap to a par- 
tial function on the underlying domain of the given (first-order) model: no restric- 
tions are imposed on the cardinality of the domain of heap, in contrast to weak SL 
which restricts to finite heaps. Our main model-theoretic results are that in this 
general setting we can express: (1) finiteness of models, (2) well-foundedness of the 
points-to relation, and (3) existence of countably infinite and uncountable models. 
As a consequence we have that full SL satisfies neither compactness nor the down- 
ward and upward Lówenheim-Skolem theorems (see [CK13]). Non-compactness 
implies that there does not exist an effective, sound and complete proof theory for 
SL. In fact, we will show that the well-foundedness of the points-to relation can 
already be expressed in full SL using only separating conjunction. Consequently, 
full SL without separating implication is already non-compact. For full SL without 
separating implication but in which separating conjunction only occurs positively, 
the fragment which we call separation logic light (SLL), we do have compactness, 
but its semantic consequence relation is not compact and therefore also does not 
allow for an effective, sound and complete proof theory. 

The question thus arises whether there exists an alternative interpretation of 
SL that does allow for an effective, sound and complete proof theory. Clearly, the 
main complexity of SL stems from the (second-order) quantification over heaps 
(or sub-heaps, as in the case of the separating conjunction). For second-order 
logic a sound and complete axiomatization can be obtained by generalizing its 
semantics by means of so-called general models. Such models extend first-order 
models with a set of possible interpretations of the second-order variables. For 
example, instead of interpreting a monadic predicate over all possible subsets 
of the given first-order domain, a general model restricts its interpretation to a 
given set of such subsets. This generalization of the semantics of second-order 
logic allows for a sound and complete axiomatization by restricting to so-called 
Henkin models. A Henkin model is a general model for second-order logic which 
additionally satisfies the comprehension axiom 


ARVa21,...,0n(R(a1,...,0n) © d, ... x) 


for any second-order formula $(zi,...,r4) which does not contain the n-ary 
relation symbol R. In the arithmetic comprehension axiom $(z,..., £n) is first- 
order. 


Generalizing the semantics of SL accordingly in terms of a given set of possi- 
ble heaps, which does not necessarily contain all heaps, we can formulate in SL 
the following version of the arithmetic comprehension axiom 


e(Vz,y((x = y) = (x, y))) 


1 Here we adopt the terminology for second-order logic [Vää01], where the semantics 
of full second-order logic does not impose any restrictions on the cardinality of the 
interpretation of the predicates/relations, in contrast to weak second-order logic which 
restricts to finite interpretations (of the predicates/relations). 
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which expresses the existence of a heap such that its graph, as denoted by the 
points-to relation —, satisfies the ‘pure’ first-order formula ó(z, y) (i.e., @ does 
not involve the separation connectives and the points-to relation). The 4- 
modality (formally defined in Sect.3) expresses the existence of a heap which 
satisfies the associated formula. Such an instance of the arithmetic comprehen- 
sion axiom holds if there exists a heap which is characterized by the formula 
(x,y). We cannot generalize this axiom to arbitrary SL formulas because it is 
not obvious how to avoid contradictions like €(Vz,y((x — y) e ^(x => y))). 
Simply requiring that the points-to relation does not occur in ó(z, y) does not 
work because the separating connectives implicitly refer to it. Therefore, we 
introduce a new interpretation of SL that restricts the (second-order) quantifi- 
cation to first-order definable heaps. For this new interpretation we introduce a 
sequent calculus which is sound and complete. The completeness proof is based 
on the construction of a model for a consistent theory (a theory from which 
false is not derivable), following [Hen49]. From the completeness proof we further 
derive that this new interpretation satisfies both compactness and the downward 
Lówenheim-Skolem theorem. By the seminal theorem of Lindstróm we then infer 
that this new interpretation is as expressive as first-order logic. 


Related Work. The model theory of SL has been focused mainly on finite heaps. 
For example, the computability and complexity results in [CYOO1] depend on 
this assumption. Surprisingly, in [BDL12] the authors show that weak SL is as 
expressive as weak second-order logic [Man96], which is a semantics of second- 
order logic where quantification is restricted to finite relations. In [DD16] this 
result is further refined by the restriction to two variables and the separat- 
ing implication (no separating conjunction) which still is as expressive as weak 
second-order logic. In [EIP20] the satisfiability problem for SL with k record 
fields has been studied for finite heaps, but over arbitrary first-order models. 
A tableaux method for a propositional fragment of SL has been developed in 
[GM10] which has been proven sound and complete. Extensions to first-order SL 
are discussed assuming finite heaps. In fact, the tableaux method introduced is 
based on a labelling mechanism for encoding finite heap structures. 

In contrast, when investigating complete proof systems for SL the assump- 
tion of the finiteness of heaps has to be dropped, thus allowing for infinite 
heaps, because, as already observed above, finiteness leads to non-compactness. 
Our general model theory shows that this generalization of SL, full SL, is also 
non-compact, and therefore does not allow for a finitary sound and complete 
logic either. Consequently, to obtain such a logic one either has to syntacti- 
cally restrict SL or further abstract or generalize its semantics. In [DLM21], for 
example, a sound and complete sequent calculus is described for a quantifier-free 
subset of SL. On the other hand, examples of further abstractions and gener- 
alizations are [HT16] and [Pym02], and both describe a finitary logic which is 
sound and complete. In [Pym02], models are based on very general preordered 
commutative monoids and there is no points-to relation. In [HT16], special com- 
mutative monoids called separation algebras are used to give semantics to the 
separating connectives. The elements of such separation algebras represent heaps 
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as relations on the underlying (first-order) domain. This allows for a standard 
set-theoretic interpretation of the points-to relation. However, the semantics of 
separating conjunction is defined in terms of the abstract monoid, and as such 
is decoupled from the set-theoretic interpretation of the points-to relation. For 
example, a first-order specification (using plain conjunction) of an enumeration 
of the elements of the domain of a (finite) heap as a set does not in general 
correspond with an enumeration using separation conjunction. 

A sound and complete axiomatization of the points-to relation in the general 
context of first-order SL respecting its standard set-theoretic interpretation thus 
remains a main challenge. 

Second-order logic allows for a straightforward translation of the (weak or 
full) semantics of SL, and one can use second-order logic to reason about validity 
in SL. This approach is followed for example by the IRIS project [JKJ+18] which 
formalizes the semantics of weak SL in the higher-order logic of Coq [HH14]. By 
restricting the semantics of the separating connectives to (first-order) definable 
heaps, our approach instead transforms a compositional second-order logical 
description of the semantics of SL into corresponding rules of a standard first- 
order sequent calculus. The resulting calculus allows us to reason, in a natural 
manner, in first-order logic about the (hierarchical) heap structures generated 
by the rules for the separating connectives. As such it does not involve the 
additional tree structures of the so-called bunched contexts of the sequent calculi 
of [HT16] and [Pym02]. Also [Kri08] avoids the use of bunched contexts in a 
modal sequent calculus for propositional SL, which is proven sound. However it 
is incomplete because it provides limited support for equational reasoning about 
the modal contexts (so-called ‘worlds’) associated with the SL formulas. 


Plan of the Paper. In the next section we introduce the syntax and semantics 
of full SL. In Sect. 3 we investigate the expressiveness of full SL. Section 4 intro- 
duces a restriction of the semantics to definable heaps. In Sect. 5 we introduce 
the sequent calculus, and discuss soundness and completeness. Finally, in the 
conclusion section we wrap up, and discuss some future work. 


2 Separation Logic 


In this section we introduce the syntax of SL and define its classical seman- 
tics with respect to arbitrary first-order models. For an intuitive introduction to 
separation logic, see [Rey05]. Given a first-order signature of function and pred- 
icate symbols? and a countably infinite set of first-order variables z, y, z,..., the 
first-order terms of this signature are denoted by t,t’,.... 

We have the following inductive definition of formulas of separation logic. 


Definition 1 (Syntax of SL). We define 


pu- (ti = te) | R(h,---,tn) | Cb) | (p^ q) | 3x(p) | (p * q) | (p — q) 


? We allow for a countably infinite set of such symbols. 
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where R is a n-ary relation symbol. As a special case we have the binary ‘points- 
to’ relation symbol — (also called the weak/loose points-to). 


Let M = (D, I) denote a first-order model, where D denotes the non-empty 
domain and I provides an interpretation of the function and predicate symbols 
as functions and relations over D. A valuation s assigns elements of the domain 
D of M to the first-order variables x,y, z,.... We omit the standard inductive 
definition of the value J;(t) of a term t. Given a model M = (D, I), we denote 
by M,h,s E- p that p holds in the model M, under the interpretation h C Dx D 
of the binary relation symbol —, where h denotes a so-called heap, represented 
as the graph of a partial function with finite domain. 


Definition 2 (Semantics of SL). We have the following main cases. 


- M,h,s E (t  t') if and only if Us(t), I, (t')) € R. 

- M,h,s = (p * q) if and only if M, hı,s = p and M,hs,s = q, for some heaps 
hi, ha G D x D such that h = hı U hg and hy ale hg. 

- M,h,s E- (p — q) if and only if M,h’,s = p implies M,h U R', s = q, for all 
heaps h^ C D x D such thath LRK. 


Other cases are the Tarksi-style semantics of classical logic [Yan01, Table 5.2]. 


In the above definition we use the set-theoretic operation of union of binary 
relations as sets of pairs. On the other hand, by hi L hg we denote that the 
domains of the relations hı and hg are disjoint?. As such, we can introduce 
the strict/tight points-to relation ++ of SL, defined by M,h,s H t — t' if 
and only if h = {(J,(t), I,(t))), as a derived concept: it can be expressed by 
(t => t') ^ Vz,y((x y) —> (x =t^y = t')). The concept emp of the empty 
relation can also be expressed by Vz,y(x 4 y). Intuitionistic SL only allows 
for the weak/loose points-to relation. The strict version cannot be expressed in 
intuitionistic SL because of its monotonicity property that the truth of a formula 
is preserved by extensions of the domain of the heap [Rey00]. In this article we 
focus on classical separation logic only. 
Let (x; — —) abbreviate Jy(x; — y). The sentences n defined by 


3zi,...,d4 ((y1 > —) *... * (m,  —)) 


then state that there exist at least n allocated elements of the underlying domain 
of the given first-order model. Note that the semantics of the separating con- 
junction implies that x; Z xj for i Æ j. It is also possible to formulate the same 
property using propositional conjunction instead of separating conjunction by 
explicitly stating this fact, that the variables are not aliases. Now collect all dy, 
in a set. Clearly, every finite subset of this set of sentences is satisfied by a finite 
heap, but that there does not exist a finite heap satisfying all these sentences. 


3 The domain of an arbitrary relation C D x D is the set d € D for which there 
exists a d' € D such that (d,d') € R. Note that for heaps hi L he is equivalent to 
hin hs = 0. 
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This simple counterexample to compactness provides the basic motivation to 
study the above semantics of SL extended to unbounded heaps, i.e. heaps which 
potentially have an infinite domain. 

Further, for technical convenience only, we generalize the semantics to arbi- 
trary binary relations. For an arbitrary (binary) relation R C D x D on the 
underlying domain D of the given first-order model, we define M,R,s = p as 
above, where the interpretation of the separating connectives ranges over arbi- 
trary subsets of D x D. In fact, in this generalized semantics, which we call 
relational SL, we can model the restriction to heaps simply by syntactically 
restricting the separating implication to assertions of the form (p ^ fun) — q, 
where fun denotes the assertion Vr,y,z((r — y ^x => z) — y = z). Let p' 
denote the result of restricting syntactically all occurrences of the separating 
implication in p to heaps (as described above). It follows that the evaluation of 
p' ^ fun is restricted to heaps. 

It is worthwhile to observe here that there exists a straightforward formaliza- 
tion of relational SL in second-order logic. For any formula p as defined above we 
define inductively the second-order formula p(R), where R is a binary relation. 


Definition 3 (Logical formalization of relational SL). 
We have the following main cases. 


- (t= CR) = RG), 
= (p * q)(R) = AR, Ro(R = Ry wW Rə ^ p(R1) ^ q(Ro)), 
- (p —q)(R) = VRi, Ro((Ro = Ri © RA p(Fi)) > q(R2)). 


Here we denote by R = R4 9 Ro, for any binary relation symbols R, R4, Ra, 
the conjunction of the formulas Vr,y(R(z,y) — (Ra(z,y) V Re(x,y))) and 
Vx, y, z(^Ra(x, y) V ^ Ra(z, z)). We denote by M,s = ¢ the standard truth defi- 
nition of a second-order formula ¢, where the evaluation s additionally interprets 
the second-order variables. Correctness of this translation, that is, M,7$,s = p 
if and only if M, s[R := R] H p(R) (where s(R := R] denotes the update of s 
which assigns to the binary variable R the relation R), can be established by a 
straightforward induction on p. 


3 Model Theory: Compactness and Countability 


To explore the general model theory of SL we introduce the modalities Wp and Up 
as abbreviations of true * (emp ^ (true — p)) and —(true * ^p), respectively’. 
For M = (D,I) we have M,R,s H Mp if and only if M, R',s = p, for every 
R’ C Dx D. Further, we have M, R, s — Op if and only if M, R', s E- p, for every 
sub-relation R’ of R (that is, R’ C R). By $p we denote the formula Bip. It 
follows that M,R,s E- p if and only if M, R/, s E- p, for some R' C D x D. 


Characterizing Finite Models. The above lBi-modality allows to express that the 
domain D of a model M = (D,I) is finite, by asserting that every injective 


^ We note that ll and 4 are, respectively, O and Q in [HT16]. However in [HT16] they 
are introduced not as abbreviations but as primitive concepts. 


The Logic of Separation Logic: Models and Proofs 413 


function f : D —^ D is a surjection: Let inj be the conjunction of the formulas 
fun (as defined above), Vz,y, z((x => z ^y > z) > x = y), and Vxdy(x — y). 
We have that M, R, s | inj if and only if R : D — D is injective (note that the 
domain of R is D because M, R, s | Vrdy(x — y)). And so M, R, s E- M(inj — 
Vxdy(y — 2)) if and only if D is finite. Note that the occurrences of — in the 
scope of the lli- modality are universally bounded, and the interpretation of — 
thus ranges over all R C D x D. 


Characterizing Countable Infinity. We next show that countability of the under- 
lying domain of a model can be expressed, using the above two modalities. We 
will be working with chains related by —, and in that sense we speak of a pre- 
decessor of x, being any y such that (y — x), and successor of x, being any y 
such that (x — y). Let enum be the conjunction of the following formulas: 


— the above formula inj, 

— the formula 3!zVy(y 4 x)’, which states the existence of a unique minimal 
element (that is, an element that has no predecessor), 

- the formula O(emp V 3z((x — —)^Vy((y — —) —> (y & xz))), which 
expresses that the points-to relation — is well-founded. 


Note that a relation R is well-founded iff every (non-empty) sub-relation of R has 
a minimal element (with respect to that sub-relation). This fact can be expressed 
by the use of the formula enum. Let M, R, s = enum. We show that R encodes an 
enumeration (dn)n of D (still we have M = (D, I)). We define the sequence (dp) n 
by induction on n: for do we take the (unique) minimal element, and for d,, 41 we 
take the unique element d € D such that (dn, d) € R. Note that inj implies that 
every element of D has a unique ‘successor’ and that dn+1 £ {do,...,dn}. Well- 
foundedness ensures that every element of D appears in the enumeration (d,),,. 
Because otherwise we can construct an infinite descending chain of elements 
not appearing in the enumeration (d,), (since do denotes the unique minimal 
element with respect to the functional interpretation R of —, it follows that for 
any d € D which does not appear in the enumeration (dn}n there exists a d' c D 
which also does not appear in the enumeration (d,), and (d',d) € R). 

We thus have that M, R, s H| enum implies that the domain of M is countably 
infinite. The formula 4 enum further abstracts from the current interpretation of 
the points-to relation —, so that if the domain of M is countably infinite then 
M,R,s H enum, for arbitrary R (and s). 

The class of uncountable models is characterized by ^($enum V fin), where 
fin denotes the above formula which characterizes the class of finite models. 

Summarizing, the logic of full SL is neither compact nor does it satisfy the 
Lówenheim-Skolem theorem because it can distinguish between countable and 
uncountable models. Further, we observe that the above expressiveness results 
do not depend on the interpretation of the points-to relation as an arbitrary 
relation. That is, these results also hold for the semantics restricted to (infinite) 
heaps. 


° Flap is an abbreviation of 3z(p ^ Vy(p[y/z] — y = «)), where p[y/z] denotes the 


substitution of x by y. 
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Interestingly, since we can express that the points-to relation — is well- 
founded (see above), even restricting to the separating conjunction gives rise 
to non-compactness: given a countably infinite set of individual constants cn, 
n > 0, let T consist of the above formula O(emp V 3z((x — —)AVy((y > —) ^ 
(y v^ x))) and the formulas c,41 — Cn, n > 0. Clearly, every finite subset of 
I is satisfiable but I itself is not. Note that we do not need to require that all 
the c; Z cj, for every i Æ j, because in case the formulas cn41 — Cn, n > 0, are 
satisfied and additionally c; = c; holds, for some i # j, we have a loop in the 
interpretation of —. Further, restricting SL to separating conjunction also does 
not satisfy the upward Lowenheim-Skolem theorem, because, as argued above, 
M,R,s E- enum implies (infinite) countability of the domain of M. 


Separation Logic Light. What about further restricting to positive occurrences of 
the separating conjunction? Since we then can push negation inside, this restric- 
tion can be formally defined by the following syntax describing SLL ('separation 
logic light’): 


pu-(ot,...,t.) | (p V a) | (p A^ q) | 3x(p) | Va(p) | (p * q) 


Here R denotes either a n-ary relation symbol or the points-to relation —. 
Thus, in this version of SL, negation can only be applied to atomic formulas. 
'To show that the notion of satisfiability of SLL is compact, we introduce the 
following first-order translation pQ R, where R is a binary predicate different from 
<>, o denotes conjunction/disjunction, and Q denotes the existential/universal 
quantifier. 


(2) R(t4, ...,t,) 8 R' = (3)R(t,..., tn) 

(tC t')GR = R(t,t) 

(po qg@R = p@Roq@R 

Qxz(p)OR = Qz(pQ R) 

(p * q)GR = R= Ry W Ro ^ pQ@R, ^ qQ Ri» 


The binary relation symbols Rı and Rə are ‘fresh’. It follows that p is satisfiable 
if and only if pQR is satisfiable. More precisely, M,R,s = p if and only if 
there exists a (first-order) model M’ such that M',s E- p@R. Consequently, 
compactness of first-order logic implies compactness of SLL: Let I’ be an infinite 
set of formulas of SLL and I" = {p@R | p € T}°, for some binary relation 
symbol R. If every finite subset of I’ is satisfiable, so is every finite subset of I’. 
By the compactness of first-order logic I’ is satisfiable, and so is I. Along the 
same lines it follows that if I is satisfiable then there exists a model M = (D, I) 
such that D is countable and M,'R,s = p, for every pc I. 

Note however that compactness of the satisfiability relation does not imply 
that the (semantic) consequence relation is compact. In fact, non-compactness 
of the consequence relation for SLL follows directly from the above argument 


$ Note that I” may require the introduction of an infinite number of fresh (binary) 
relation symbols. This is however no problem because first-order logic allows for a 
countably infinite set of function and relation symbols. 
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involving well-founded relations: Let /' denote the set formulas c441 — Cn, 
n > 0. It follows that l E true x (emp ^ Vz((r => —) > Jyly > z))). 
But clearly, there does not exist a finite subset I of I such that Ig — true x 
(“emp ^ Yz((x = —) > dy(y > z))). 


Some Open Problems. 'The question remains whether restricting to separating 
conjunction satisfies the downward Loéwenheim-Skolem theorem. A counterex- 
ample to the downward Lówenheim-Skolem theorem would be the expressibility 
of uncountable models. This seems to require the Wp modality (and thus the 
separating implication). 

Another interesting question is whether we can express finiteness of the 
domain of the current interpretation of the points-to relation, that is, does there 
exist a formula p in SL such that M,R,s E- p if and only if the domain of the 
relation 7 is finite? 

A main open problem is a formalization of the relation between full SL and 
second-order logic. Intuitively, one of the main differences is the local perspec- 
tive of SL, which is determined by the current heap. Remarkably, as already 
mentioned in the introduction, [BDL12] presents a rather intricate encoding 
of (dyadic) weak second-order logic into weak SL. Apparently this restriction 
to finite heaps allows to break the local perspective. Our conjecture however 
is that full SL is strictly less expressive than (dyadic) second-order logic. To 
illustrate how subtle this difference may be, consider the following extension of 
separation logic with a binding operator | R(p) which binds the binary vari- 
able R in the evaluation of p to the current interpretation of the points-to 
relation. In other words, it corresponds to a bounded (second-order) quantifi- 
cation IR((R = —) A p), where, R = — abbreviates the first-order formula 
Vz,y(R(r, y) — (x — y)). Alternatively, we can directly define M, R, s E- | R(p) 
if and only if M, R, s[R := R] E p. This definition thus assumes an extension of 
the valuation s to (binary) second-order variables. The expressive power of this 
binding operator lies in that it allows to ‘break the spell’ of the local perspec- 
tive since the bound binary variable allows in the local context of the current 
interpretation of the points-to relation to refer to those ‘outer’ ones that have 
generated it (by the separating connectives). This extension of SL allows for a 
simple, compositional translation of (dyadic) second-order logic. We have the 
following main case which translates JR(9), where ¢ a dyadic second-order for- 
mula (which is assumed not to contain occurrences of the points-to relation of 
SL), into the SL formula € (| R(p)). 


4 Separation Logic of Definable Binary Relations 


In this section we restrict the interpretation of the separating connectives to 
first-order definable binary relations. By ¢ we now denote a first-order formula 
which does not contain occurrences of the points-to relation — of SL. We omit 
the standard inductive truth definition M, s = ¢ of a first-order formula ¢. 

By $(a1,...,2%n) we denote that the free (first-order) variables of ¢ are among 
the distinct variables £1,..., £n. A formula ¢(a,y) is called a binary formula. 
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A binary formula is also simply denoted by ¢, omitting its free variables x and 
y. Given a model M = (D,I), and a first-order formula ¢(x,y), we denote 
by Rely($) the relation ((s(z),s(y)) | M,s E 9) € D x D. Note that the 
evaluation of ó(x, y) only depends on the values of its free variables x and y, 
that is, M, s = ¢ if and only if M,s' E ¢, where s(x) = s'(x) and s(y) = s'(y). 
By ó(t,t') we denote the result of replacing in ó(z, y) the variables x and y by 
t and t', respectively (if necessary renaming bound variables to ensure that the 
variables of t and t’ do not become bound). 


Definition 4 (First-order definability). Given a model M = (D, I), a rela- 
tion RC D x D is first-order definable if R = Rely($), for some binary for- 
mula $(x, y). 


Note that, given a model M = (D,I), I(R) = Rely(R), that is, for any 
binary relation symbol R its interpretation I(R) is trivially a first-order definable 
relation. We generalize the definition of R = R,WRp2 to arbitrary binary formulas: 
we denote by ¢ = $186» that the binary formulas ¢; (x, y) and $»(x, y) represent 
a partition of the binary formula ó(x, y) which is expressed by the conjunction 
of Va, y(9(a, y) ka ($1 (2; y) V $»(x; y))) and Vz, y, 2(n¢1(z, y) V ^ó»(z, z)). The 
latter formula, which states that the domains of the binary relations represented 
by ói(z,y) and ¢1(az, y) are disjoint, we abbreviate by $1 L $». 

In the sequel we denote by M, R, s E p the restriction of the relational seman- 
tics of full SL (Definition 2 extended to binary relations) such that instead of 
quantifying over arbitrary binary relations, the separating connectives involve 
quantification over first-order definable binary relations. It is worthwhile to 
observe here that, as for Henkin models of second-order logic [Hen50], the implicit 
second-order quantification depends on the underlying signature of function and 
relation symbols. Extending or restricting the signature affects the semantics of 
formulas of the ‘old’ signature. 


5 Sequent Calculus 


To reason about the implicit quantification over definable (binary) relations, we 
introduce rooted assertions of the form po, where ¢ denotes a binary formula 
and p is a formula of SL (see Definition 1). We define M, s E- p@¢ if and only if 
M,R,s = p, where R = Rely(¢). The variables x and y of the binary formula 
¢(x,y) are thus implicitly bound by the @-operator, that is, M, s = pQ@¢ if and 
only if M, s' = pQ@¢, for any s and s’ such that s(z) = s'(z), for any free variable 
occurring in p. 

Note that the separating connectives are interpreted in terms of relations 
which are definable by first-order formulas which do not involve the points-to 
relation —. This allows for the following alternative predicative definition" of 
the semantics of the separating connectives in rooted assertions (used in both 
the soundness and completeness proofs). Here v L $, for the binary formulas 
w(a,y) and é(z, y), denotes the formula Vz, y, z(—^v(z, y) V ^é(, z)). 


T For a foundational discussion concerning predicativity, see [Cro17]. 
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Separating conjunction 


T, ġ = Rı © R2, p@Ri,q@R2 > A 
L. ID(p*sq)89— A 


T>A,¢=¢14¢2 I'-—.A4pQo) T => A, qQ@d2 
R. I = A, (p * q)@¢ 


Separating implication 


TSA, ely T= 4A, p@ay I,qQ(Qvwv)—A 


T,R 1 ó6,pQR => A, qQ(¢ V R) 
R T => A, (p -* q)@¢ 


Points-to rules 


Dpé/]2A  rT-p$/-LlA 
I,pQ¢>A I —pQo,A 


Fig. 1. Sequent calculus. The binary relation symbols Ri, R2 and R introduced in the 
rules L, and R are ‘fresh’. In the points-to rules p denotes a basic formula (which 
does not contain occurrences of the separating connectives). 


Lemma 1. We have 


- M,s E (p * q)Q@¢ if and only if there exist binary formulas ó1 and $2 such 
that M,s = ọ = 6, 4 $3, M, s | pOg, and M,s =| qQ¢z. 

- M,s E (p — q)86 if and only if M,s = v L ¢ and M,s = pQ implies 
M,s E- qQ@(dV v), for all binary formulas 1. 


We now develop a calculus for sequents A;,...,4, = By,...,Bm, where 
each Aj, i = 1,...,n, and Bj, j = 1,...,m, is constructed from first-order 
formulas and rooted assertions, which can be further composed using propo- 
sitional connectives and quantification of first-order variables. This calculus is 
an extension of standard first-order sequent calculus (including cut), where the 
standard rules are applicable with respect to top-level propositional connectives 
and quantifiers. Figure 1 shows the left and right rules for separating conjunction 
and implication. These rules closely follow the translation in Definition 3 of SL 
into second-order logic, eliminating the explicit second-order quantification by 
applying the standard proof rules for second-order quantification (which them- 
selves are straightforward generalizations of the rules for first-order quantifica- 
tion, instantiating the second-order variables by formulas). The binary relation 
symbols Rı, R2 and R introduced in the rules L, and R_, are ‘fresh’ binary 
relation symbols, that is, they must not appear in the formulas of the conclusion 
of the rules. 
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We also have rules which allow classical reasoning under rooted assertions: 
(po qg)@¢ — (pQ9)o (qQ¢), where o denotes binary propositional connec- 
tives, e.g., conjunction, disjunction, and implication, (~p)@¢ — —(pQ49), and 
Jzp)Q — Ax(p@¢) (and similarly (Vrp)Qo — Va(p@¢@)). Further, we have 
Vr, yl e wv) — (p@¢d e pQw). It is straightforward to validate these rules, 
but we omit the details of the semantics M, s E- A, which follows the standard 
Tarski-style classical semantics, given the semantics of rooted assertions which 
may appear in the place of atomic formulas. 

In the so-called ‘points-to’ rules of Fig. 1 the formula p does not involve occur- 
rences of the separating connectives. Such a formula of SL we call basic. Note that 
it differs from pure first-order formulas in that basic formulas additionally may 
involve the points-to relation. For such formulas we denote by p|ó/ —], for any 
binary formula ó(z, y), the result of replacing every atomic assertion (t — t^) in 
p by ó(t, t), which is a pure first-order formula. It follows that M, s = p|ó/ —] 
if and only if M, Rel (9), s E- p, for any basic formula p. 


— 


Example Proofs 


I-—qQGR,Ri;l Ro DI-—qQR,pOR,; T,qQ(Rı V R2) > q@R L 
R= Rı © Ro, p@R,, (p — q)QRz > q@R 
(p * (p — q))@R ^ qQR 
= (p * (p ~= q))@R > q@R 
=> ((p * (p = q)) > JQR 


—k 


* 


As a first example of the use of the sequent calculus, above we have a derivation 
of the sequent = ((p x (p — q)) — q)QR which represents the validity of 
(p * (p — q)) > q. This derivation essentially consists of an application of the 
rule L, followed by an application of the rule L_,. In this derivation /' denotes 
the formulas R = R4 9 R2, pQ R, generated by the application of rule L}. The 
second premise of the application of the rule L_, is derivable from an instance 
of the axiom T, A > A, A. Note that 7 (in the L— rule) is instantiated with Rj. 
The first and third premise follows from the fact that R = Rı W Rə reduces to 
Hi L Ro and R= R4 U Rə (that part of the proof is not shown above). 

Next we show how to use the calculus in reasoning about the equivalence 
of weakest preconditions that arise in the practice of verifying the correct- 
ness of heap manipulating programs. Let p denote the weakest precondition 
(u < ) A(z = 0 <u = vov => z) of the heap update [u] := 0 which ensures the 
postcondition v — z after assigning the value 0 to the location denoted by the 
variable u (here <b> y abbreviates (b^ $) V (=b^4)) (in [ABHdG23] a dynamic 
logic extension of SL is introduced which generates this weakest precondition). 
The standard rule for backwards reasoning in [Rey02] gives the weakest precon- 
dition (u ı ) x (ut 0 — v => z), which we denote by p’. These preconditions 
are equivalent because both are the weakest. 

Surprisingly, a proof of the implication p' — p however exceeds the capability 
of all the automatic SL provers in the benchmark competition for SL [SNPR4-19]. 


The Logic of Separation Logic: Models and Proofs 419 


In particular, of the automatic provers, only the CVC4-SL tool [RISK16] sup- 
ports the fragment of SL that includes the separating implication connective. 
However, from our own experiments with that tool, we found that it produces 
an incorrect counter-example and reported this as a bug to one of the main- 
tainers of the project (Andrew Reynolds). In fact, the latest version, CVC5-SL, 
reports the same input as ‘unknown’, indicating that the tool is incomplete. In 
the case of (semi) interactive SL provers (such as Iris [JKJ+18], and VerCors 
[AH21, MRH22] that uses Viper [MSS16] as a back-end) we sought out expertise 
and collaborated in our search for a tool-supported proof of the above equiva- 
lence. Even after personally visiting the Iris team in Nijmegen (lead by Robbert 
Krebbers) and the VerCors team in Twente (lead by Marieke Huisman), we 
were unable to guide the tools to produce a proof of p' — p. The problem here 
seems similar to that of [HT16], in that their semantics of separating connectives, 
which are formalized in terms of abstract monoids, are not compatible with the 
set-theoretic interpretation of the points-to relation. 

In fact, the equivalence between the above two formulas can be expressed in 
quantifier-free separation logic, for which a complete axiomatization of all valid 
formulas has been given in [DLM21]. In the sequent calculus we can express the 
equivalence of p and p’ in terms of the sequent fun(R) — (p > p’)@R. Here R is 
an arbitrary binary relation symbol used to represent the current interpretation 
of the points-to relation. We abbreviate Vz, y, z((R(a,y) ^ R(z,z)) > y = z) 
by fun(R). A proof of the above sequent amounts to proving the sequents 
fun(R),p'@R => p@R and fun(R),pQ@R => p' QR. Below we present a high- 
level proof of the first sequent, abstracting from some basic first-order reasoning 
in the calculus. 

By an application of L, to derive the sequent fun(R), p'QR = pQR it suffices 
to derive 


fun(R), R = R49 Ro, (u — —)8 R5, (u — 0 — v => z)G RS > p@R 


for some fresh R4 and Rg. Let v(x, y) denote the binary formula x = u^ y = 0. 
Further, let I’ denote the set of formulas fun(R),R = R, W R5,(u — —)Q@R,. 
By an application of the rule L_, it then suffices to prove the following sequents 
(from I = A we can derive [ => A,A by right-weakening). First we prove 
I => Han = Ø: By the points-to rules the rooted assertion (u +> —)@R, 
(appearing in I’) reduces to 4z(Ri(u, z) ^ Va, y(Ri(z,y) > y =uAy = 2)) 
(the forall-part of the formula is due to the ‘strict’ points-to which states that 
the domain contains u as its only location). Further, Rə N y = Ø logically boils 
down to ^3z,y(Ra(z,y) ^ (x = u Ay = 0)), that is, 2R2(u, 0), which in basic 
first-order logic follows from 4zR(u, z) and the assumptions R = Rı W Rz and 
fun(R). 

Second, we prove [ => (u +> 0)@w: By the points-to rules (u + 0)Q 
(using the expanded definition ¢ of u — 0 and the definition of the substitution 
$[v/ —]) reduces to (u = u)A(0 = 0)AVz,y((x =u ^y =0) > (x—-u^y-0) 
which is equivalent to true. 
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And, finally, we prove I, (v  z)@(Ro V v) = pQR: First note that (again, 
by the points-to rules) 
((u= —)^(z-0au-vpbv-z)QGR 


reduces to 


— 


AzR(u, z)) A (z = 04u = vr R(v, z))) 


The assertion dzR(u, z) clearly follows from the assumptions R = Ri W Rz and 
(urs —)Q@R, in T. To prove z = 0 <u = v» R(v, z), we first reduce the assump- 
tion (v — z)G(Rs V Y) to Ro(v,z) V (v = u Az = 0). Now, if v = u then 
—R»(v, z), because of the assumptions fun(R), R = R4 W Rə and (u — —)QR,. 
So we have that z = 0. Otherwise, we have Ra(v, z), and thus R(v, z), because 
R = Rı Y Ro. 


Soundness and Completeness. We denote by F I' => A that there exists a proof 
of the sequent /' => A. To define E- I' => A, let o denote a substitution which 
assigns to every binary relation symbol R of the sequent /" = A a binary formula 
@. Such a substitution o simply replaces occurrences of R(t, t’) by (t, t"), where 
o(R) = (x,y). By E P = A we then denote that M,s | A Io (that is, 
M,s E- Ao, for every A € I’) implies M, s E- V Ao (that is, M,s H Bo, for 
some B € A), for every M, s and every substitution c. 

In the soundness proof below we use these substitutions to instantiate the 
fresh binary relation symbols introduced in the rules L, and R. Note that 
updating the interpretation of these symbols (as provided by M) would affect 
the semantics of the separating connectives if binary formulas would refer to 
these fresh binary relation symbols (note that they are only supposed not to 
appear in formulas of the conclusion of the rules L, and R_,). 

We generalize the above notions of derivability and validity to possibly infi- 
nite I: I - A indicates that + I" = A, for some finite I" C IP’, and I — A indi- 
cates that for every substitution o we have that M, s E- Io (that is, M, s = Ac, 
for every A € I’) implies M, s E- Bo, for some B € A. 


Theorem 1 (Soundness). We have that - I > A implies ET => A. 


Proof. We prove that the rules for the separating connectives preserve validity. 
The points-to rules are sound because M, Relys(¢), s H p if and only if M, s = 
p|ó/ =>], for any basic formula p (note that p[$/ —] is a pure first-order formula 
which does not depend on the heap). 

L.: Let M, s E- Fo and M,s H (po * qo)Góc. We have to show that M, s = 
V Ac. By Lemma 1, there exist $1 and à» such that M,s E- ($0) = $1 9 do, 
M,s E po@d¢,, and M,s = qos. Let o’ = o[Ri, Ro :— $41, ¢2]. Since Rı 
and Rə are fresh and as such do not appear in T,(p * q)Q6, it follows that 
M,s E I"c', where I" = T, = Rı W Ro, pQR4,qQ R5. By the validity of the 
premise we thus obtain that M, s = V Ao’. Since R, and Rg also do not appear 
in A, we conclude that M, s = V Ac. 

R.: Let M,s E- Io and suppose that M,s A V Ac. From the validity of 
the premises it then follows that M, s = $e = ($19 ¢2)0, M, s | poQ91c, and 
M,s E- qaQ@d¢20, By Lemma 1 we conclude M, s = (po x qo)869oc. 
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L..: Let M,s E- Io and M,s E (po — qo)Q@¢o, and suppose that M, s 
V Ac. From the validity of the first two premises it then follows that M, s 
go L wo and M,s E poOoc. By Lemma 1 again, it follows that M,s 
qo QG (oo V wo). By the validity of the third premise we thus derive that M, s 
V Aoc, which a contradicts our assumption. 

R.: Let M,s E- Io and suppose that M, s [^ V Ac. We have to show that 
M,s E (po — qo)99c. Let v» be such that M, s =| y L ($c) and M, s | pov. 
Further, let R be a fresh variable and o’ = s[R :— 4]. It follows that M, s E- I'o’, 
where I” = T, R L ¢,p@Rand M, s [£ V Ao’. And so we derive from the validity 
of the premise of the rule that M,s H qo@(do Uy). Since v was arbitrarily 
chosen, by Lemma 1 again we conclude that M, s = (po — qa)Qdo. 


TTE 


Fg 


As a corollary we obtain that I - A implies I E A. 

Following the completeness proof of first-order logic as described in [Hen49], 
it suffices to show that every consistent set of formulas is satisfiable (the so- 
called ‘model existence theorem’). A set of formulas I is consistent if I' 7 Ø. We 
first show that every consistent set of formulas can be extended to a maximal 
consistent set. To this end we assume an infinite set of ‘fresh’ binary relation 
symbols R that do not appear in I’. We construct for any consistent set I a 
maximal consistent extension °°, assuming an enumeration of all formulas A 
(which also covers all first-order formulas). We define Ih = I' and 15,4 satisfies 
the general rule: if Tn, An 7 0 then I, U {An} C D544, otherwise 15,44 = I. 
Additionally, in case A, is added and A, is of the form Hx A or a rooted assertion 
(p * q)89 or 5(p — q)849, we also include corresponding witnesses in 17,41: 


— If An is of the form 3r A we additionally add A(y), where A(y) results from 
replacing all free occurrences of z in A by the fresh variable y which does not 
appear in I). 

Note that A(y) can indeed be added consistently because from Tn, A(y) + Ø we 
would derive In, I£ A + 0, which contradicts the assumption that Tn, 3r A Y 0. 

— If A, is of the form (p * q)Q¢ we additionally add the formulas ¢ = Rı W 
Ro, Ry L R2, pQ R5, and qQ Rs, where Rı and R are fresh (e.g., not appearing 
in In). 

Note that these formulas can indeed be added consistently because from 
In, 6 = Ri W Ro, Ri L R2, pQRa, qQ R3 H Ø we would derive Tn, (p * q)89 H 0 
(by rule L.). 

— If A, is of the form —(p — g)@¢ (which is equivalent to =((p — q)849)) we 
additionally add the formulas R L $, pQ R(z, y), and ~qg@(¢V R), where R is 
fresh (e.g., not appearing in In). 

Note that these formulas can indeed be added consistently because from 
In, R L ¢,pQR(z, y), -q@(¢ V R) | 0 we would derive I; | (p — q)8o 
(by rule Rx), which contradicts the assumption that I5,-(p — q)Q9 7 0. 


We define [°° = Cs In. By construction T is maximal consistent. Given 
a maximal consistent set of formulas I’, let Mr = (D,I), where D is the set 
of equivalences classes [t] = (t' | t = t' € I}. For any function symbol f and 
relation symbol R (excluding the points-to relation —) we define 
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= Pt- [tn]) = (F(t, --- tnd]; 
- I(R)([t]. ...,[t,]) = true if and only if R(t;,...,t,) € I. 


The above interpretation of the function and relational symbols is well- 
defined because its definition does not depend on the choice of the representatives 
(this follows from the equality axioms). 

Given a maximal consistent set of formulas I and the model Mr = (D, I), 
a corresponding valuation s assigns to every variable x an equivalence class [t]. 
However, in the sequel we will represent such a valuation by a substitution s 
which simply assigns to each variable a term. The value I(x) of a variable x 
then is given by the equivalence class [s(z)] of the term s(x). 

Given a substitution s, for any term t and formula A (of the sequent calculus) 
we denote by ts and As the result of replacing every free occurrence of a (first- 
order) variable x in t and A by s(x). Note that (p@¢)s = psQó, because the 
meaning of pQ@@ does not depend on the free variables x and y of the binary 
formula $(z, y). 

Given a maximal consistent set of formulas I and the model Mr = (D, I), 
it follows that 7,(t) = [ts], for every term t and substitution s. 


Lemma 2. Given a maximal consistent set of formulas I' and the model Mr = 
(D,I), we have M,s E- A if and only if As € I, for every formula A and 
substitution s. 


Proof. The proof proceeds by induction on the following well-founded ordering 
A < B on formulas of the sequent calculus: Let #A = (n, m), where n denotes 
the number of occurrences of the separating connectives and the @-binding oper- 
ator of A and m denotes the number of occurrences of the (standard) first-order 
logical operations of A. Then A « B if #A « #B, where the latter denotes 
the lexicographical ordering on N x N (w.r.t. the standard ‘smaller than’ order- 
ing on the natural numbers). We treat the following main cases (for notational 
convenience M denotes the model Mr). 


- Let M,s E- A, where A denotes the formula (p * q)@¢. By Lemma 1 there 

exist $1 and $» such that M, s = ¢ = $189», M, s =| pQ@d¢d, and M, s E q9». 
From the induction hypothesis it follows that psQ$, qsQ@¢2,¢ = ġ1 Y Q2 € I 
(note that the first-order formula ¢ = $1 $» does not contain free variables, 
and thus is not affected by the substitution s). So we derive by rule R, 
that I’ F (ps x qs)Q¢. By maximal consistency of I, we then conclude that 
(ps * qs)Qó € T, that is, Asc I. 
On the other hand, let As € I’. That is, (ps x gs)@¢ € I’. By construction 
o = Rı © Ro,psQR4,,qsQ R5 € I, for some witnesses R; and Rə. By the 
induction hypothesis it then follows that M,s = pGR, and M,s = pQR». 
Further, the induction hypothesis gives M, s = ¢ = Rı W Rə (again, note that 
the formula ¢ = Rı W Rə has no free variables, and thus is not affected by the 
substitution s). We conclude by Lemma 1 that M, s = (p * q) o. 

— Let M,s E- A, where A denotes the formula (p — q)@¢. Suppose As ¢ r. 
By the maximal consistency of I, we then have ^(ps — qs)Q¢ € I. By 
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construction R L ¢,psQ@R,-7>qs@(¢ V R) € T, for some witness R, which 
contradicts M, s = (p — q)@¢ (after application of the induction hypothesis 
and using Lemma 1 again). 
On the other hand, let As € I’. To show that M,s E (p — q)@d, let 
M,s =| o L y and M, s H pQ@y, for some binary formula v. By the induction 
hypothesis we have that $ L v, psQ» € I’. Suppose that qsQ(ó Vw) ¢ I, that 
is nqsQ(o V v) € I (T is maximal consistent), and thus I, qsQ(ó V v) H (). 
Applying rule L_, we then derive I, (ps — gs)@¢+ 0, which contradicts the 
consistency of I' ((ps — qs)Q¢ € I). So we have that gs@(dVw) € T, that is, 
M,s H| q8(à V w), by the induction hypothesis. Since w is chosen arbitrarily, 
it follows by Lemma 1 that M, s — (p — q)@¢. 

— Let A be a formula p@¢, where p denotes a basic formula. Let R = Rely(4). 
We then have M, s E- pQó iff (by definition) 
M,R,s E- p iff (straightforward induction on p) 
M,s E plġ/ —] iff (induction hypothesis for p(9/ —]) 
ps|ġ/ —] € T iff (by the points-to rules) 
psQó € I’. Note that applying the substitution s to p@¢ and p[ó/ —] results 
in psQ@¢ and ps|o/ >]. 


'The downward Lówenheim-Skolem property follows. It should be noted that 
we cannot remove from the constructed model the binary relation symbols which 
are introduced as witnesses, as these determine the notion of first-order defin- 
ability. 


Theorem 2 (Completeness). We have that I E A implies DF A. 


Compactness follows. We thus derive (by Lindstróm's theorem [Vàà10]) that 
this version of SL is as expressive as first-order logic. 


6 Conclusion 


We investigated the expressiveness of full SL over arbitrary first-order models. 
We have shown that restricting the quantification over first-order definable heaps 
gives rise to a semantic consequence relation that can be captured by a sound 
and complete extension of the standard sequent calculus for first-order logic. 

'The main question remains what is the exact relationship between full SL 
which allows for infinite heaps and second-order logic. In [KR04] a translation is 
given of general second-order logic in a first-order logic with spatial conjunction. 
Spatial conjunction (as defined in [KR04]) allows to split a global set of arbitrary 
relations. As such it goes beyond the local scope of separating conjunction which 
is restricted to the points-to relation. We conjecture that second-order logic is 
strictly more expressive than full SL. 


Acknowledgements. The authors thank the anonymous referees for providing many 
constructive and useful suggestions for improvement. 
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Abstract. We investigate the satisfiability problem for a fragment of 
Separation Logic (SL) with inductively defined spatial predicates and 
permissions. We show that the problem is undecidable in general, but 
decidable under some restrictions on the rules defining the semantics 
of the spatial predicates. Furthermore, if the satisfiability of permission 
formulas can be tested in exponential time for the considered permission 
model then SL satisfiability is EXPTIME complete. 


1 Introduction 


Separation Logic [14,22] (SL) is a dialect of bunched logic [18] that is widely used 
in verification for reasoning on programs manipulating pointer-based data struc- 
tures. It constitutes the theoretical basis of several industrial scale automated 
static program analyzers [1,2,7]. SL formulas describe heaps, with atoms assert- 
ing that some location (i.e., a memory address) is allocated and refers to some 
tuple of locations (i.e., a record), combined with a special connective *, called 
separating conjunction, which is used to compose heaps. Custom data structures 
may be described in this setting by using spatial predicates, the semantics of 
which is defined using inductive rules, similar to those used for defining recur- 
sive structures in usual programming languages. Such rules allow one to describe 
heaps of unbounded size with some particular structure such as lists or trees. In 
this setting, existing work usually focuses on the fragment of SL called symbolic 
heaps (defined as separating conjunctions of SL atoms). 

Usually, SL formulas are interpreted in the standard heap model, where heaps 
are defined as partial finite functions mapping locations to tuples of locations 
and where the separating conjunction * is interpreted as the disjoint union of 
heaps. Both the satisfiability and entailment problems have been extensively 
investigated for this heap model. It was proven that the satisfiability problem is 
ExPTIME complete [6], whereas the entailment problem is undecidable in gen- 
eral, and 2-EXPTIME complete provided the inductive rules meet some syntactic 
conditions [11—13, 15] which are general enough to capture usual data structures 
used in programming. The combination of spatial reasoning with theory reason- 
ing has also been thoroughly investigated, see for instance [16,19—21,23]). 
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However, richer models exist (see for instance [8]) accounting for additional 
features of dynamic memory. The automation of reasoning in these models 
received little attention. One such model that is of practical relevance is sep- 
aration logic with permissions [3,5], where allocated locations are associated 
with so called permissions used to model the ownership of a given heap region 
(e.g., a process may have read or write permission over some location). The 
heap composition operator that is used to define the interpretation of the sep- 
arating conjunction is more complex in this framework than in the above case: 
non disjoint heaps can be combined if they agree on all the locations on which 
they are both defined and if the corresponding permissions can be combined (for 
instance it is natural to assume that read permissions can be freely combined 
but not write permissions). The framework is thus parameterized by some per- 
mission model describing which permissions are available and how they can be 
combined. In [10] algorithms are provided to decide the satisfiability and entail- 
ment problems for SL formulas (symbolic heaps) with permissions in the case of 
lists, i.e., when all allocated locations refer to a single location (i.e., to a record 
of size 1) and when there is only one spatial predicate 1seg,(z,y) denoting a 
list segment from x to y, with permission p. The provided algorithms are generic 
w.r.t. the permission model, and it is proven that these problems are in NP and 
co-NP, respectively, assuming that some oracle exists for testing the satisfiability 
of permission formulas in the considered model. 

In the present paper, we investigate the satisfiability problem for SL formu- 
las with permission defined over arbitrary spatial predicates, with user-defined 
inductive rules. The goal is to allow for more genericity by tackling custom data 
structures (such as trees, cyclic lists, doubly linked lists etc.) with arbitrary 
permissions. The addition of permissions makes satisfiability testing much more 
difficult: we prove that the problem is undecidable in general, and we devise 
syntactic conditions on the inductive rules for which the problem is EXPTIME- 
complete. The restrictions are similar — but stronger — to those given in [13] to 
ensure the decidability of the entailment problem in the standard heap model. In 
particular, the inductive rules defining the predicate 1seg mentioned above fulfill 
these restrictions!, as well as other usual data structures such as cyclic list, trees 
etc. (however, doubly linked lists or trees with parent links are not captured). 
The considered inductive rules use a special connective o (different from *) that 
is interpreted as a disjoint union. As we shall see, this is both more natural for 
defining data structures (see also [5]) and required for deciding satisfiability. 


2 Definitions 


Syntax. We first briefly review some basic notations. If x and y are finite 
sequences, then we denote by x.y the concatenation of x and y. We denote by 
|z| the length of # and by g|; its i-th element (if 1 € i € |x|). If E C {1,..., |a]} 
then z|g denotes the set (z|; | i € E). With a slight abuse of notations, a finite 


1 provided the considered lists are not empty. 
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sequence z is sometimes identified with the set (z|; | à = 1,..., |z|], for instance, 
we may write x € (u Uv) \ w to state that x occurs in u or v but not in w. 
We consider a multisorted framework, with two sorts 1 (for locations) and 


p (for permissions). Let Y; and V, be two countably infinite disjoint sets of 


ote with Y = Yu Vp, where Y) and V, denote location variables and 


permission variables, respectively. The set of permission terms T, denotes the 
set of terms built inductively as usual on the set of variables V, and the binary 
function m (written in infix notation). A points-to atom is an expression of the 
form z È (y1,..., gx) with z,yi,...,yk € Vi and p € Tp. An equational atom is 
an expression of the form x ~ y or x # y with either x,y € Y, or z, y € Tp- 

We consider two disjoint sets of predicate symbols P, and P. The set Pp 
denotes permission predicates, where each predicate Pe Pp is associated with a 
unique arity #(P). A permission atom is an expression of the form P(pi, veta Dn), 
Pe Pp, n = #(P) and p1,.--,Pn € Ty. P is a finite set of spatial predicate 
symbols. Each symbol P € P is associated with a spatial arity #1(P) € N and 
with an arity #(P) € N, with #(P) > JA(P) > 0 (ZACP) and #(P) — ZA(P) 
denote the number of arguments of P that are of sort 1 and p, respectively). 
A predicate atom is an expression of the form P(z1,..., s, py; -.., pm), with 
n = JA (P), n-- m = 3 (P), 21,..., 2n € Vy and pı,...,Pm € Tp. A spatial atom 
is either a points-to atom or a predicate atom. 

The set of formulas is built inductively as usual on the logical constants emp, 
and L and on the set of spatial, equational and permission atoms, using the 
special connectives * and o and existential quantification on variables of sort 
1 only (existential quantification over variables of type p is not allowed). The 
connective * is usually called separating conjunction, and we call o the disjoint 
conjunction (it is intended to capture the disjoint union of heaps?). Formulas 
are taken up to associativity and commutativity of the symbols * and o, up to 
the commutativity of ~, % and up to prenex form. We denote by |¢| the size of 
ġ. For technical convenience, we assume that the symbols o and x have weight of 
1 and 2, respectively, and that all atoms have size 1. For conciseness, a formula 
Jdai...3z4 $ will often be written Jr dé, with z = (z1,...,24). A permission 
formula is a formula containing no spatial atoms and no aaa atom of the 
form z ~ y or x £ y with x,y € Vı (note that emp is a permission formula). A 
formula is spatial if all the atoms occurring in it are spatial. A pure formula is a 
formula that contains no spatial atom (it is not necessarily a permission formula, 
as it may contain equations or disequations between locations) A symbolic heap is 
a formula containing no occurrence of o, and a o-formula is a formula containing 
no occurrence of x. 

A variable x is free in a formula $ if it occurs in $ outside of the scope 
of any quantifier binding x. The set of variables (freely) occurring in a term 
(or formula) ¢ is denoted by fv($). A substitution is a function mapping every 
variable in Y, to a variable in Y; and every variable in V, to a term in J. 


? The connective o is called strong separating conjunction in [5] and written * (whereas 
* is written ($)). Our notations are mostly consistent with those in [10]. 
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The domain of a substitution c (denoted by dom(c)) is the set of variables x 
such that a(x) # x. A substitution of domain {z1,...,&n} with e(z;) = t; is 
denoted by (zx; — t; | à = 1,...,n}, or {x — t}, with x = (z1,..., £n) and 
t = (t1,...,n). For all formulas or terms ¢, we denote by ġo the formula or 
term obtained from ¢ by replacing every free occurrence of a variable x by c(z). 


Semantics. Permissions are interpreted in some permission model: 


Definition 1 (Adapted from [10]). A permission model $B is a triple 


(Pp, Op, (Pp) pep.) 


where Py is a non empty set, called the set of permissions, Oy : Px — Px is 
a binary partial function that is commutative, associative and cancellative, and 
Py C n m for all P € Py. If n,n € Py, we write y <p T if v = r V (An € 
Pas! =r"). 


In what follows, $ always denotes a permission model. If r € Py and n € N, 
we denote by 7" the permission 7 Og ... Gg 7 (n times), note that 7" is not 
necessarily defined and implicitly depends on the considered permission model, 
which will always be clear from the context. In contrast to [10], we do not assume 
that a maximal “total” permission lg; exists, we allow instead for arbitrary 
predicates over permissions (the total permission can be encoded as a unary 
predicate symbol T, with Ty = (13]). 


Example 2. Assume that Py = (. A simple example of permission model is tv = 
({read, write}, Bw, 0), with read Oy read = read and write Gy 7 is undefined 
for all 7 € (read, write}. Another example (from [4]) is f = (]0, 1], S, Ø) where 
]0, 1] denotes the interval of rational numbers, with - 6; 7' = n+ iyd <1 
and m ©; 7’ is undefined otherwise (f stands for fractional). 


Let £ be a countably infinite set of locations. A store (for a given permission 
model $8) is a total mapping associating every variable in Y to an element of 


L and every variable in V, to an element of Py. A store can be extended into 
def 


a partial mapping from 7, to Ps inductively defined as follows: s(p; © p2) = 
S(p1) 9g 5(p2). Note that the obtained mapping is partial since s(p1) Gy s(pa) 


is not always defined. If z;,...,r, are pairwise distinct variables in Y) and 
£,..., 4, € L, we denote by s[z; — 4; | i = 1,...,n} the store s' coinciding 
with s on every variable not occurring in [24,...,2,] and such that s'(z;) = 4 
for all i = 1,...,m. 


A heap (for a given permission model 53) is a partial finite function from £ 
to £* x Py. The domain of a heap h is denoted by dom(h), and we denote 
by |b| the finite cardinality of dom(h). A heap of domain /;,...,4, such 
that b(£) = (&,..., 6... Ti) (for all i € (1,...,n]) will be denoted as a set 
(U 4,4 Tmi) |i =1,...,n}. For every heap h we denote by loc(h) the set 
(i| £0 € dom(h),6(40) = (41,.--,2%,7),0 € i € k}. A heap may be viewed as 
a directed (labeled) graph: the locations in loc(h) are the vertices of the graph 
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and there is a edge from £ to V if h(@) = (41,...,n,7) and /' = £j; for some 
i € (1,..., n]. 

A subheap of h is any heap b’ such that dom(h’) C dom(h) and b'(£) = b(£) for 
all £ € dom(b'). A p-weakening of h (w.r.t. some permission model $8) is any heap 
b' such that dom(b’) = dom(5) and for all £ € dom(h), if B(£) = (41,..., ln, T) 
then b'(£) = (41,..-,4n, T) with c^ <q m. We write b' €; b (resp. 6’ <p 5) if b’ 
is a subheap (resp. a p-weakening) of h. The relation < denotes the composition 
of X, and <p. We write h ~ h’ if h and 6’ only differ by the permissions, i.e., 
dom(h) = dom(b’) and for all £ € dom(b), if b'(£) = (41,...,¢n,7') then there 
exists 7 such that b(£) = (41,...,n,7). 


Example 3. Consider the permission model f defined in Example 2 with £ — N. 


Th 
m Do = {(0, 0, 1,0.1), (1,0,0,0.2)}, bi = {(0,0, 1,0.1)}, 
55 = {(0,0,1,0.1), (1,0,0,0.1)} b3 = {(1,0,0,0.1)} 
( 


are heaps, and we have, e.g., hg(0) = (0,1,0.1) (meaning that the location 0 is 
allocated and refers to (0,1), with permission 0.1), 61 X1 Bo, 02 <p Bo, 63 <a 2, 
and h3 < ho. Moreover, ho ~ he. 


Heaps can be composed using the following partial operator. If hi,h2 are 
heaps, then bı U 5» is defined iff for all £ € dom(h1) N dom(B3), we have b;(£) = 
(£i, -lh Ti) (for all i = 1,2) where ky = ko, €; = £5 for all j € {1,...,ki} and 
71 Og T2 is defined. Then pı U he is defined as follows: if £ € dom(5;) V dom(b;) 
with (i, j) € {(1, 2), (2, 1)) then (B1L165)(£) E 5;(Z), and if £ € dom(h1)Ndom(h2) 
then (bı L162)(£) = (&,..., 0 m Og m3). 

Example 4. Consider the permission model f defined in Example 2, with £ — N 
and the following heaps: 


ho = {(0,0, 0.5), (1,0,0.6)} bı = {(0,0,0.5), (1,0,0.2), (2,0.1)} 
b2 = {(0,0, 0.5), (1,0,0.6)} b3 = {(0,0,0.1), (1,0.1)} 


Then 5o U by is defined, and we have: ho U hy = {(0,0,1), (1,0, 0.8), (2,0.1)}. 
However, neither Ho Ubo nor boU bg is defined (in the former case the permissions 
of location 1 cannot be combined (as 0.6 + 0.6 > 1) and in the latter case the 
location 1 is associated with distinct tuples, (0) and (), respectively. 


A structure (for a given permission model $B) is a pair (s, h) where s is a store 
and § is a heap for $B. It is injective if s is injective. A location £ is allocated in 
a structure (5,5) or in a heap h if £ € dom(h), and a variable x is allocated in 
(s, B) if s(x) € dom(h). 

The semantics of spatial predicate is defined by inductive rules. A set of 
inductive definitions (SID) is a set of rules of the form P(a1,...,2n,Y1,---,Ym) 
< $ where n = JA(P), n4- m = #(P), z1,..., x, are pairwise distinct variables 
in Yi, yi,..., ym are pairwise distinct variables in Vp, and ¢ is a formula such 
that fu(d) C ([z1,..., Zn, yi, --;Ym}. We write P(z1,...,2n,P1,---;Pm) ER Y 
iff R contains a rule P(zi,..., 25, y1,..., Ym) € Q with v = ó(zi — zi, Yj — 
pj |i € {1,... n}, j € {1,...,m}}. 


432 N. Peltier 


Definition 5. (Semantics) For every permission model *8 and SID R, the sat- 
isfiability relation Ee is the smallest relation between structures (for 9B) and 
formulas such that: 


1. (5,6) =% emp iff 5 = (). 

2. (s, 5) ET zo (yis... x) if s(p) is defined and h = ((s(z),s(g1),. . .,s(yx), 
s(p))}. Note that this entails that dom(h) = (s(x)]. 

3. (5,6) ES x c y (resp. (s, b) ES x X y)ifb =9, s(x) and s(y) are defined 
and s(x) = s(y) (resp. s(x) 7 s(y)). 

4. (s, B) =% P(pi,... Da) with P € Py if s(pi) is defined for all i € {1,...,n}, 
(s(p1),---,8(Pn)) € Pp and 5 = 0. 

5. (8,6 


) =% P(£1,..., En, T1,- nm) with P € P if there exists ó such that 
Psi ev S a TR) ER Q and (s, b) =E Q. 


6. (5,4) ET Q1 * Q9 if there exist heaps hy,h2 such that B4 U he is defined, 
b = bı U bo and (s, b:) HÈ $i for all i — 1,2. 

7. (5,9) ES $19 $2 if there exists heaps 81,83 such that dom(h,) dom(53) = 9, 
b = bı U bz and (s, b:) HE $i for all i — 1,2. 

8. (s, 5) ET Iro if (s{x — t5) EL $ for some LE L. 


A structure (s,4) such that (5,6) =% $ is an (R,%)-model of ¢. A formula 
admitting an (R, $8) -model is (R, $8)-satisfiable. Two formulas are sat-equivalent 
(w.r.t. R, $8) if they are both (R, $B)-satisfiable or both (R, 3) -unsatisfiable. 


Example 6. The formula x > (y,z)ox ge (y’, 2’) is (R, $8)-unsatisfiable, as x 


cannot be allocated in disjoint parts of the heap. z > (y) * a A (y)* yv 
is also (R, $B)-unsatisfiable, as x cannot refer to two distinct records, but x = 


" 


(y, z) * x €^ (y’, 2’) admits the model (on the permission model f) (s, 5) with 
s(x) = 0, s(y) = s(y’) = 1, s(z) = s(z") = 2, s(u) = 0.5, s(u') = 0.2 and 
b = {(0, 1, 2,0.7)}. 


Note that there is no logical constant T (true): no formula can be satisfied 
on all heaps. The constant emp is similar to T but it states that the heap is 
empty. For all formulas ¢, Y, we write ¢ Ee w iff the implication (s, b) =% 
ó = (sb) H$ v holds for all structures (s, b), and ¢ 23 v iff we have 
both $ EF w and v ET 9. If o contains no predicate symbols in P, then the 
truth value of ¢ in (s, 5) does not depend on R. We thus may write (s, 5) =F à 
instead of (s, 5) =% ó. If, moreover, ¢ is pure, then (s, b) E-? ¢ holds only if b 
is empty. We will write s K® ¢ to state that (s,0) =F ¢. Finally, if 9 contains 
only equalities between variables then its semantics does not depend on R and 
$ thus we write s = ¢ to state that (s, 0) =% $. Note that the semantics of 
$19 9» and $4 * $2 coincide if $1 or $» is pure, and also coincide with that of 
the usual standard conjunction if both ¢; and $5 are pure. 
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Shorthands. If £ = (z1,...,24) and y = (y1,---,Ym) are sequences of variables 
in Y4 then æ ~ y denotes the formula L if n Z m and (z1 ~ y1)0...0(an c Yn) 
otherwise. For every permission term p, we denote by def(p) the atom p c p. 
By definition, (s, 5) H% def (p) iff s(p) is defined and b = 0. 


3 -Regular Systems 


We focus on SIDs of some particular form, defined below. 


Definition 7. A rule is h-regular if it is of the following form: 


P(x,y) € Juj, Un (x D (Oty .--, Uk) 0 Qi(tis 91) -° Qu us Yn) e 0) 


where (u1,...,u&) € {v1,..., vu], yi is a vector of variables, Q; € P and ¢ is 
pure. We assume by a-renaming that x,y do not occur in {u1,...,Un}. A SID 
R is h-regular if all the rules in R are b-regular. 


Note that the right-hand side formula contains only the disjoint separation con- 
nective o and not the usual separating conjunction *. As we will see (Theorem 
33) this is crucial for the decidability of the satisfiability problem. However, as 
already observed in [5], this is also justified from a practical point of view. Assume 
for instance that we want to define the predicate 1seg introduced in [10], denot- 
ing a list segment from x to y with some permission z. The following rules can be 
used^: 1seg(z,y,z) € x (y) lseg(x,y,z) € du (x 5 (u) olseg(u, y, z)). A 
structure (s, 5) satisfies 1seg(z, y, z) if hb = {(4:, 4:41, 9(z)) | à = 1,...,n} with 
n > 0,s(z) = 41, s(y) = £41 and 4; A G ifi # j and i, j € (1,..., n}. This fits in 
with the definition in [10] (except that n > 0). In contrast, if one uses instead the 
connective *: 1seg(z, y, z) = Ju (x 5 (u) x 1seg(u, y, z)), then one could obtain 
models where the list “loops” on itself an arbitrary number of times, such as, for 
instance (s, ((s(z), s(x), p)) ]), with s(y) = s(x) and p = s(z)", for any n > 0 such 
that s(z)" is defined. In the former definition, s(y) possibly occurs in {f1,...,n}, 
but each location can only be allocated once. 

Intuitively, D-regular sets of inductive rules generate heaps with a regular 
structure (in the sense that it may be represented by a tree automaton [9]), 
enriched with some additional edges (referring to the nodes corresponding to 
the variables passed as parameters to the spatial predicates at some recursive 
calls). These additional edges may refer to locations corresponding to free vari- 
ables (e.g. the root of the structure) but also to existential variables (for instance 
they may refer to the parent node in the tree). 5-Regular SID are related to the 
PCE systems introduced in [13] (for progressing, connected and established), 
extended to formulas with permissions, but our conditions are slightly stronger, 
because we require that every existential variable be allocated at the next recur- 
sive call. Note that structures with mixed permissions are allowed, for instance 


3 i.e., compound permission terms are not allowed in predicate atoms. 


^ As §-regular rules allocate exactly one location, we assume that the segment is non 
empty, the case of an empty segment must be considered apart. 
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the rules P(x, 21,22) = x & () and P(a, 21,22) = 3u (x Æ (u)o P(u, 22, z1)) 
defines a list with permissions alternating between z1 and z2. Rules with com- 
pound permission terms in points-to or permission atoms are allowed (such as 
P(2,Y1,y2) = c "ne () o def (y1 ® y1)), but not those with compound permis- 
sion terms in spatial predicate atoms? (e.g., P(x, y1, y2) = x &5 ()o Q(x, y1 9 ya) 
is not h-regular). 

For every quantifier-free formula $, we denote by roots(ó) the set of variables 


def 


x (called the roots of à) inductively defined as follows: roots(z È (y1,...,4n)) = 
{x}, roots(P(z,yi,...,yx)) = {x}, roots(3y p) = roots()\{y}, roots(¢) = 0 if ó 
is pure and roots(¢1 * p2) = roots($10 $2) = roots(ó1) U roots(ó2). By Definition 
7, roots are always allocated: 


Proposition 8. Let R be abh-regular SID. If (s, 5) =% @ and x € roots(¢) then 
s(x) € dom(h). Consequently, every formula of the form $4 o $3 with roots(ġ1)N 
roots(¢2) £ Ú is (Te, $8) -unsatisfiable. 


The conditions in Definition 7 are actually not sufficient to ensure that the 
satisfiability problem is decidable: 


Theorem 9. If there exist (not necessary distinct) permissions 7,72 € Px 
such that 7, @y m2 is defined, then the (R, 3) -satisfiability problem is undecidable 
for h-regular SID R. 


To ensure decidability, we need to further restrict the way existential variables 
are passed as parameters during recursive calls. This is the goal of the next 
definition. 


Definition 10. Assume that R is h-regular. Given two spatial predicates P and 
Q, of arities n and m respectively, we write P rag Q if P(zx,z1,..., 24 4) * 
Q(z,yi,....Um-1) is (R,93)-unsatisfiable& (where zi,..., tn 1,1; Vm 
denote pairwise distinct variables of the appropriate sorts). We denote by yr 
the function associating every predicate symbol P of spatial arity n to a sub- 
set of {2,...,n} inductively defined as follows: for every rule P(a1,...,%n,U) € 
3yi,. 9m Q in R, for every predicate atom Q(z1,..., zy, ux) ind with #1(Q) = 
k and for all i € {2,...,k}: 


2. zi €izj|j € ya(P)) — ie v (Q). 


? Otherwise the unfolding of spatial predicates could yield terms of arbitrary depth. 

6 In practice, as this condition is hard to test, some stronger syntactic condition can 
be tested instead, for instance one can check that all the formulas ¢ and ¢’ such 
that P(x, £1,...,£n—-1) =r ¢ and Q(z,yi,...,ym-1) €x ¢’ are of the form ¢ = 
(x — (u)ow) and ¢’ = (x & (u’)oy’) with |u| Z |u'| (this condition is used in 
Theorem 33 and for the ExPTIME-hardness proof in Theorem 32.). More generally, 
it is sufficient to test that the “shape” of the structures generated by P and Q, up 
to a certain fixed unfolding depth, are incompatible. 
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Let P* be a subset of P, such that: (3) P € P* = yr(P) = 0; and (4) 
PEP*AQEP\P* = Prag Q. A b-regular rule is 3-restricted (w.r.t. R 
and P*) if it satisfies the following condition (using the notations of Definition 


T): 
5. Vi € (1,...,n) Vj € {1,... n} (ui € yj; — Qi € P*). 
A SID R is +restricted if all the rules in R are 3-restricted. 


Conditions 1 and 2 in Definition 10 are meant to ensure that * (P) denotes 
the indices of the parameters of P that may (but do not have to) be instantiated 
by some existential variable introduced during the unfolding of the inductive 
rules in R (the other parameters may only be instantiated by variables occur- 
ring in the initial formula). Condition 1 corresponds to a base case, where an 
existential variable is passed as a parameter to a predicate symbol, and Condi- 
tion 2 handles the inductive case, when the variable is carried through recursive 
calls". Then, Condition 5 ensures that an existential variable may only be passed 
as a parameter to a predicate symbol if it is the root of a structure defined by 
an atom Qi;(y;) containing no variables introduced by unfolding (by Condition 
3). 


Example 11. The rules of the predicate lseg are J-restricted (with P* = 9). 
Indeed, they contain only one existential variable u, which occurs only as the 
first argument of a predicate. Hence Condition 5 in Definition 10 trivially holds. 
If R contains no other rule then yr(1seg) = (). Note that yr(1seg) depends 
on the entire set R. For instance, if R contains a rule P(x,y) « 3u(x > 
(u) o 1seg(u, u, y)) then the second argument of 1seg may be instantiated by 
an existential variable hence yr(lseg) = {2}, and the latter rule is not 3- 
restricted. On the other hand, if P* = {Q}, then the rules Q(a,y) <4 x % 
(), R(z,y) € 3u,v(x & (u,v)olseg(u,v,y)oQ(v,y)) are 3-restricted, with 
P* = {Q}. Indeed, the variable u occurs only at the root of a predicate, 
and the variable v is the root of Q(v, y). Note that 1seg(z, y, z) * Q(x, u) and 
R(x, y) * Q(z, u) are (R, 8)-unsatisfiable, thus 1seg Pag Q and R bag Q. 


Intuitively, the structures generated by J-restricted rules are regular tree- 
shaped structures, enriched with two kinds of additional edges: (i) a bounded 
number of arbitrary edges (corresponding to free variables, which may be freely 
passed as arguments to any predicate, thus may be referred to in an arbitrary 
way); (ii) an unbounded number of other edges (corresponding to existential 
variables) which are only allowed to point to structures that contain no edge 
of type (ii). Condition 4 ensures that the structures containing only edges of 
type (i) do not overlap with those containing both kinds of edges. Note that 
the conditions of Definition 10 always hold if the existential variables occur only 


T For generality, one could assume that all the equalities occurring in the rules are 
propagated before yr is computed (so that existential variables are eliminated if 
they are equal to a free variable), but this is not essential for our purposes hence the 
corresponding formal definitions are omitted. 
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as roots (with P* = P or P* = Ø). In this case there is no edge of type (ii), 
ie., the obtained structures are regular sets of trees with a bounded number 
of additional edges (for instance trees with pointers to the root, or cyclic lists). 
Note that doubly linked lists cannot be captured (as they contain an unbounded 
number of additional edges from every node to the previous one). In the following 
we devise an algorithm to test the (R, $B)-satisfiability of symbolic heaps when 
R is 3-restricted. 


4 A Decision Procedure for Testing Satisfiability 


Before entering into technical details we start with a general overview of the 
procedure for testing satisfiability (assuming the considered SID is 3-restricted). 


1. Starting with a formula of the form 0, * --- * Ôn where the ó;'s are atoms, 
we first reduce every spatial atom ó; into an equivalent disjunction of o- 
conjunctions 0j o...0ó2,, such that the only free variables allocated by an 
atom ði are its roots roofs(ó0;) (as 0j is an atom, card(roots(5;)) < 1). 
Due to the particular properties of the B-regular rules (more precisely, due 
to the fact that the rules satisfy the “establishment” property of [13], i.e., 
every existential variable is allocated), this entails that, for all structures 
(s, hij) satisfying ôi, the domains of hi,; and by j are either equal (if ôi 
and ôi, have the same roots) or disjoint (otherwise). Indeed, the establish- 
ment property ensures that the considered heaps have no “pending edges” 
(i.e., no location that is referred to but not allocated), other than those 
denoted by free variables. This step can be considered as the key part of 
the procedure. It requires to (automatically) enrich the language with addi- 
tional predicates and rules, and the termination of the transformation cru- 
cially depends on the conditions on J-restricted rules. For instance, an atom 
lseg(x,x) occurring in a formula with free variables x,y could be written 
(x ~ yolseg(r,c)) V lseg’(x, x,y) V (1seg'(z, y, y) 0 1lseg’(y, x, 7)) where 
lseg'(u, v, w) denotes a list segment from u to v not allocating w. The previ- 
ous decomposition depends on whether y is equal to x and whether y occurs 
in the list segment from z to zx. 

2. By distributivity, we get at this point x-conjunctions of o-conjunctions of 
atoms. Taking advantage of the previous property, we then reduce these for- 
mulas into o-conjunctions of *-conjunctions of atoms, by regrouping the atoms 
with the same roots, e.g., (P(x, y) o Q(y, z))«(P'(z, y) o Q'(y, z)) may be writ- 
ten (P(z, y) * P'(z,y)) (Q(y, 2) * Q'(y,2)). 

3. Next, we show that a *-conjunction of atoms sharing the same root (such as 
P(x,y) * P'(z, y) or Q(y, x) * Q’(y, x)) can be denoted by a single atom, the 
rules of which are obtained by “merging” the rules of the initial atoms. 

4. At this point we get a o-conjunction of atoms. To ensure that the formula is 
satisfiable it suffices to test that all these atoms have a model and that all 
these models are compatible, w.r.t. the equality constraints, allocated loca- 
tions and permission constraints. To this aim, we construct finite abstractions 
of the models of the considered atoms using a bottom-up fixpoint algorithm. 


In the next subsections, each of these steps is explained in details. 
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4.1 Normalization 


We first show that every formula can be transformed into an equivalent formula 
(that we call normalized) in which every allocated variable occurs as a root: 


Definition 12. A formula ¢ is normalized if it is of the form Jæ y where w is 
quantifier-free and for all spatial atoms 6 in wb, for all ((R.,$8)-models (s,8) of 6 
and for all variables y € fv(v): s(y) € dom(b) «» y € roots(w). 


For instance, 1seg(z, y) is not normalized, because y may be allocated (e.g., if 
s(x) = s(y)) and does not occur in roots(1seg(z, y)) = {x}. To enforce this con- 
dition, we introduce new predicate symbols (called derived predicates), the rules 
of which can be automatically computed from those of the predicates already 
occurring in this formula. We first define predicate symbols that ensure that 
some given variable is not allocated. 


Definition 13. For all predicate atoms P(z,p) (where x and p are vectors of 
location variables and permission terms, respectively) and for all location vari- 
ables v, we denote by P(x,p)|v|~ any atom of the form Q(a,v,p), where Q is a 
fresh predicate symbol, associated with the rules: 


Q(y, w,z) = Ju (Qı (y1; pi) [v]. o... oQu(ymPo)|w] oooyli z w) 


for all rules P(y,z) = 3u(Qi(yi,pi) o...o Qm(Ym, p) o9) in R (up to AC), 
where y, y; are vectors of location variables, z, p; are vectors of permission vari- 
ables, and @ contains no predicate atom. 


For instance lseg(z,y,z)|u] is a predicate atom Q(z,y,u,z) defined by 
the following rules: (Q(zr,y,u,z) < 3z'(r & (2/)oQ(z',y,u,z)ox # 
u),Q(r,y,u,z) = zx & (y)ox % ul. It denotes a list segment from x to y 
not allocating u. The following result is straightforward to prove: 


Proposition 14. For every J-restricted SID R, the set R enriched with the 
rules associated with the predicate Q corresponding to P(z,p)|v| ^ in Definition 
13 is d-restricted, with yg (Q) = yr(P) and Qc P* — PcP*. 


Intuitively the structures that satisfy P(z,p)|v|^ are exactly those that satisfy 
P(z,p) and do not allocate v: 


Lemma 15. For all h-regular SID R, (s, 5) =% P(z,p)|v]- iff (s, 5) =E P(z,p) 
and s(v) g dom(b). 


The operator ô +> d[z]~ can be applied recursively, e.g., one can consider atoms 
of the form ó[x]- [y]~, etc. For all predicate atoms 6, we denote by unalloc(d) the 


set of variables inductively defined as follows: unalloc(ó|z|-) = (x) U unalloc(6), 
and unalloc(5) = 0 if ô is not of the form 6’{2]~. The following proposition is an 


immediate consequence of Lemma 15: 


Proposition 16. If (s,0) =% 6 then s(x) € dom(h), for all x € unalloc(ó). 
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Next, we define predicate symbols allowing one to remove some part of a 
structure. Intuitively, the expression (ó —e v) will hold exactly in the struc- 
tures that satisfy when a disjoint structure satisfying o is added. For instance 


given the rules tree(z, y) = 4x1, £2 £ ^ (a1, £2) 0tree(a1,y) otree(a2,y) and 
tree(z,y) « x % (), tree(z,y) and tree(z, y) denote binary trees with roots 
z and zx, respectively, and tree(z, y) -e tree(x, y) denotes a tree of root x with 
a “hole” at z (the structures satisfying tree(z,y) —e tree(r,y) are obtained 
from models of tree(r,y) by removing the part of the heap that corresponds 
to tree(z,y)). The formula ¢ —e y is similar to the strong magic wand intro- 
duced in [17] and to the context predicates in [12] and also close in spirit to the 
separating implication of SL although the semantics are slightly different. 


Definition 17. For all finite sequences of predicate atoms P;(z;,p;) (with i = 
0, ..., n), where x; and p; are vectors of location variables and permission terms, 
respectively, we denote by (Pi(zi,pi) o... o P,,(an,Pn)) -e Po(ro,po) any atom 
P(z,p) with £ = zo..... Ln, P = po..... n, and such that P = Po if n = 0 and 
otherwise P is a fresh symbol associated with rules of the form 


P(y,z) = dw (Y1 0...0 Ymo g) 


for all rules 


Po(yo, 20) = Iw (Qı (u1,q1) 0... ° Qm(Um, dm) o 9) 


in R and for all decompositions a, 0...0Am = Pi(yi,z1)0...o PalYn, Zn) (up 
to AC, where the a;’s may be empty), where: 


- yi and z; are sequences of pairwise distinct location and permission variables, 
respectively, with |y;| = |z;| and |zi| = Ipil; 


— wj is of one of the following forms: 
e either a; -e Qi (ui, qi); 
e ory; c u;ozj; ~qi, if oi = Pj(y;,2;) and Pj = Qi. 


For instance tree(z,y) -e tree(z,y) denotes an atom P(x,z,y,y) with the 
rules: 


P(x, 2,91, Y2) = 321, £2 (x E (z1,22) o P(zi1, 2, 1, yg) o tree(25, 2, y1)) 
P(x, 2,91, Y2) = 321, £2 (x e (z1,22) o tree(z1,z,j1) o P(zo, 2, Y1, y2)) 
P(x, 2,91, Y2) = 321, £2 (x e (z1,29)024 Y zoyi c ys o tree(z5, z, 41)) 
P(x, 2,91, Y2) = 321, £2 (x B (£1, £2) 0 tree(x1, z, y1) o2 & zo yi & Yo) 


For readability, all the expressions of the form emp -e tree(x2, z, yi) have been 
replaced by tree(x2, z, y1). Note that the rules are not B-regular, as xı and x2 do 
not occur as roots in every rule, but they can easily be transformed into h-regular 
rules by replacing x; and x2 by z in the third and fourth rule, respectively (using 
the equations xı ~ z and x2 ~ z). The definition can be applied recursively (i.e., 
Po,..., P, may be derived predicates). The next proposition is an immediate 
consequence of Definition 17: 
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Proposition 18. Let R be a b-regular SID. The rules associated with any pred- 
icate P corresponding to an expression o — 6 (Definition 17) are h-regular, up 


to the following equivalence: Ix (x ~ y od) =% o{x — y}. Moreover, the rules 
are also J-restricted, with yr(P) = yr(Po) and P € P* = > Po € P*. Finally 
if a = emp then (a — ô) = ô. 


Note that, however, the implication P € PŽ AQ E€ P\P = Prg 
(Condition 4 in Definition 10) does not necessarily hold for derived predicates 
P,Q. The following lemma states a form of modus ponens, relating the connective 
o with —e: 


Lemma 19. If R is h-regular then P(z,p)o((P(z,p)oo) -e Q(y.q)) Er a — 
Q(y. a). 


The next lemma states that every predicate atom allocating x can be written as 
a o-formula in which x occurs as a root. 


Lemma 20. Assume that R is J-restricted. Let y,p be vectors of location vari- 
ables and permission terms, respectively. If (s,6) H% Q(y.p), s(x) Z s(yl1) 
and s(x) € dom(h), then there exist atoms of the form P(x,z,q), P;i(zi,yi.di) 
(with i € {1,...,n}), where z € yU {a1,...,an}, yi € {yli | 7 € yr(Q)}, 
q C p and q; C p, such that: (s,8) ER 3x1,..., v, (B o(8 —e Qly, p))), with 6 = 
Piu,a,q)o( X Pins Yi qi). Moreover, P; € P*, {2£1,..., & (2.2) pet) 
and YEYNZAY g tul; | j g yr(Q)} => YE (2,2) lye (P): 


Intuitively, since z is allocated and the rules are h-regular, then necessarily some 
predicate atom of the form P(z,z,q) must be called at some point during the 
unfolding of the rules. Using —e, this predicate can be removed from the call 
tree of Q(y,p) and lifted at the root level in the formula. The atom P(z, z,q) 
may contain variables not occurring in Q(y, p) corresponding to existential vari- 
ables introduced by unfolding. As the rules are +-restricted, all such variables x; 
must themselves appear as the root of some predicate atom P;(r;,yi,q;) which 
contains (beside x;) only variables occurring in Q(y, p) (since yr(P;) = 0, due 
to Condition 5 in Definition 10). Again, these atoms can be moved at the root 
level. 


Definition 21. For all atoms Q(y,p) we denote by ó|x|* the set of formulas of 
the form 32,..., 24 (B o(8 -e Q(y,p))) as defined in Lemma 20. We also denote 
by ó|v|- the formula: 6 o(x ~ yl). 


For every model of ô, ó[r|^ holds if x is not allocated in ô, d[a]= holds if x is 
equal to the root of ô and ó[z]* holds if x is allocated but is not the root of ô. 
The following result follows immediately from Lemmata 19 and 20: 


Lemma 22. Assume that R is J-restricted. Let x € Y4. For every predicate 
atom à such that x ¢ roots(0), and for all structures (5,8): (8,8) E® 6 iff there 
exists v € {o[a]~ , [a]=} U d[a]* such that (s, b) Ee Vj. 
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For instance the atom lseg(z,y,z) holds iff one of the formulas 
lseg(z,y,z)ox ~ y, lseg(x,y,z)[y]~ or lseg(y,y,z)o(lseg(y,y,z) -e 
lseg(x,y, z)) holds. The second formula corresponds to the case where y is not 
allocated, and the first and third ones correspond to the case where there is a 
loop on y. By applying repeatedly Lemma 22 on every variable x and atom 6 we 
eventually obtain a disjunction of normalized formulas: 


Lemma 23. Let R be a 3-restricted SID. There exists an algorithm transform- 
ing any symbolic heap $ containing no points-to atom into a set of normalized 
formulas V such that for all structures (s, b): (s,6) =% $ iff there exists p € V 
such that (s,b) =F w. Furthermore, every formula in V is a (quantified) sepa- 
rating conjunction of o-formulas. 


4.2 Commuting Separating and Disjoint Connections 


The next step consists in showing that — under some particular conditions 
enforced by the previous transformation — the operator * can be pushed inner- 
most in the formula (below the operator o). To this aim, we exploit an essential 
property of h-regular SIDs, namely that all the locations that occur in the heap 
of some model of a formula $ but are not allocated correspond to a variable in 
fv(à). We shall denote by cut(L, L', 5) the set of locations reachable from L in 
b, from a path not crossing L’: 


Definition 24. Let h be a heap, let L,L' C L. We denote by cut(L, L',0) 
the set of locations inductively defined as follows: L C  cut(L,L’,h), and if 
Ü € cut(L, L', 5), KL) = (&,...,4,n), i € {1,...,k} and L Z L’ then 
li € cut(L, L',b). 


The following lemma characterizes the domain of the part of the heap satisfying 
some formula $: 


Lemma 25. Let R be a b-regular SID and let à be a o-formula containing no 
quantifier. Let s be a store and let b,b’ be heaps, with b' < h . Let V be a set 
of variables, with fv(o) C V U roots(ó) and s(V) N dom(b’) = 0. If (s,6’) =% O) 
then dom(bh’) = cut(s(roots(Q)), s(V), b). 


The commutation property, pushing * below o, is given by Lemma 26: 


Lemma 26. Let R be a h-regular SID. Let V C Vı and let o be a normalized 
formula, of the form ¢ = 9! oCK? (Qi o 5) xv’), where, for alli € (1,...,n], 
roots(ó;) = V and (roots(v»;) U roots(u)) NV = 0. Then $ is (e, 98)-satisfiable 
iff (d! o X2 igi) o(CK?- Lui) * v!) is (R, 98)-satisfiable. 


Roughly speaking, as roots(¢;) = V and ¢; is normalized, it is possible to prove, 
using the characterization given in Lemma 25, that the parts of the heap that 
correspond to the formulas $; have all the same domain. This entails that the 
heaps corresponding to the formulas Y; and ¢, are disjoint, which permits to 
prove that Kr (0; o Yi) can be written (K"_, ;) o(K?. pi), yielding the result. 
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4.3 Merging of Spatial Predicates 


We show that, under some particular conditions, it is possible to replace the 
separating conjunction of two spatial atoms having the same root by a single 
spatial atom. The rules defining this atom are obtained by combining the rules 
of the two initial atoms. More precisely, consider any h-regular SID R and two 
spatial atoms P(x,y,p) and P'(z, y', p) sharing the same root x, where y, y' are 
vectors of location variables and p and p' are vectors of permission terms. We 
denote by P(zr,y,p)V P'(z,y', p') any atom Q(z,y,y'.p,p') where Q is associated 
with rules of the form: 


Q(v,w,w',z,z) € 3uij,...,us& ve (v... UK) 
o OF (Qi(ui, yi, i) VQ;(ui.y;.di )) ooo ow 
with q = p & p', for all pairs of rules of the following forms in R (with the 


same numbers k and n, and up to a-renaming, so that the rules share the same 
existential variables): 


P(v,w,z) € dui,...,Un v e (vi... Uk) o Of uQi(ui Ys, di) oó 


P'(v,uw' z^) = Ju... us 0 6 (sss) ORO (ui, yi di) o ' 


where y = Of (v; ~ v). Note that all the produced rules are 5-regular?. 


Lemma 27. Let R be a b-regular SID. Let x € Vı and let (s,8) be a structure 
such that s(y) € dom(h) holds for all variables y such that s(x) 4 s(y). Then 


(5,6) ER P(z,y,p)VP'(z, yp) € (s.5) EX P(x,y.p) * P'(£,y', p"). 


'The result crucially depends on the fact that the parts of the heap that corre- 
spond to P(zr,y,p) and P'(z,y',p') respectively must share the same domain, 
since otherwise, as R is h-regular, a free variable would be allocated, contradict- 
ing the hypothesis. This ensures that the heap can be generated by the above 
rules. 


4.4 Heap Abstractions and Main Result 


As we shall see later, the previous transformations can be used to transform any 
symbolic heap into a o-formula (while preserving satisfiability). The final step 
is to devise an algorithm to test the satisfiability of o-formulas. As it is done 
in [6] for standard heap models, the algorithm works by constructing relevant 
abstractions of the models of the predicate atoms. It suffices to keep track of 
the truth value of the equational atoms, of the allocated variables and of the 
permission atoms satisfied by the structure. 


5 However 3-restrictedness is not necessarily preserved. 
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Definition 28. A heap abstraction is a tuple a = (Va, ~a, Aa, pa) where Va is 
a finite set of variables, ~a is an equivalence relation on the variables of sort 1 
occurring in Va, Aq is a subset of VaN Va, closed under ~a (i.e., for all x,y € Vy: 
XS € Ag ^m cg, y => y € Ag), and pa is a permission formula (with variables 
in Va). 


Definition 29. Let (s,h) be a structure and let a = (Va, ~a, Aa, pa) be a heap 
abstraction. We write (s,8) E® a if all the following conditions are satisfied: 
(i) For all variables x,y € Va O Vi: £ ~a y € s(x) = s(y); (ï) for all 
z€VnWrcA, s(x) € dom(5); and (iii) s =? pa. A heap abstraction 
is P-satisfiable if there exists a structure (s, 5) such that (s, B) =F a. 


Proposition 30. A heap abstraction a is -satisfiable iff pq is Y-satisfiable. 


For all o-formulas ¢, we define a set of heap abstractions 2(¢) by mutual induc- 
tion as follows. The sets 9((ó) are the least sets of heap abstractions satisfy- 
ing the following properties, for all finite sets of variables? V 2 fu(¢) and 
for all equivalence relations ~ on V N V: (i) if ¢ = « È (yi,..., 4) then 
(V,^siv | y | y ~ z}, def(p)) € A). Gi) if ¢ = x ~ y (resp. x £ y) with 
xy € Vı and z ~ y (resp. x & y) then (V,~,0,emp) € 2(d); (iii) if d is a 
permission formula then (V, ~, 0, 9) € 2(¢); (iv) if ó = 3x v, (V,~, A, p) € Up) 
then (V V (x, A, A \ {x}, p) € UAP), where ~’ denotes the restriction of ~ to 


the variables distinct from a, i.e., ~= ((u,v) | u ~ v ^u,v £ x] (note that x 


cannot occur in p, since quantification over permission variables is not allowed); 
(v) if [o = Qı O Q2, (V, ~, Aj, pi) € Alpi) (for all i = 1, 2) with A1 N A» = 0, then 
(V, x~, A1U A», Pie p2) € Alp); (vi) if ó = P(a,p) and Q ER £ then A(E) C 2(¢). 


Lemma 31. A o-formula ¢ is (R, B)-satisfiable iff at least one of the abstrac- 
tions in U(d) is $B-satisfiable. 


Putting things together we get the following result: 


Theorem 32. lf B-satisfiability is decidable for permission formulas, then there 
exists an algorithm that, for every d-restricted SID, decides whether a given 
formula @ is (R,)-satisfiable. If, moreover, Y-satisfiability is in EXPTIME, 
then (R,)-satisfiability is also in EXPTIME (for -restricted SID). Finally, 
for every permission model P, (R,%)-satisfiability is EXPTIME-hard (for 3 
restricted SID). 


5 Using Separating Conjunctions Inside Rules 


To end the paper, we wish to point out that the satisfiability problem is undecid- 
able from +-restricted SID if the disjoint separation o is replaced by the standard 


? For technical convenience we do not impose any bound on the cardinality of V, hence 
the set 2(¢) is infinite. This simplifies the theoretical definition of the abstraction 
for disjoint conjunctions. In practice only variables occurring in the initial formula 
or in the rules need to be considered. 
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separating connective * in the inductive definitions (see Definition 7). We think 
that the result is of some theoretical interest, although, as explained above, rules 
using o are actually more convenient for describing data structures. The notions 
of *-h-regular and *-d-restricted SID are defined exactly as h-regular SID and 
+-restricted SID (Definitions 7 and 10) except that the symbol o is replaced by 


* everywhere (for conciseness the formal definitions are omitted). 


Theorem 33. Let $ be any permission model and assume that for every n € N, 
there exists 7 € Py such that n” is defined. The (fe, $8)-satisfiability problem is 


undecidable for «-J-restricted SID. 


6 Conclusion and Future Work 


An algorithm was devised to test the satisfiability of symbolic heaps in Sepa- 
ration Logic with inductively defined predicates and permissions, under some 
(syntactic) conditions on the inductive rules giving the semantics of the spatial 
predicates. The algorithm runs in exponential time, provided the satisfiability 
of permission formulas is in EXPTIME. In addition, we showed that some nat- 
ural relaxings of these conditions make the problem undecidable (under some 
minimal assumptions on the permission model). The next step is to investigate 
the entailment problem for the considered fragment. The techniques devised in 
the present paper for transforming symbolic heaps into disjoint conjunctions of 
atoms should serve as a basis for this purpose, but the extension is not straight- 
forward. Another (much easier) extension that could be of practical relevance is 
to consider formulas with labels (in the sense of [5]) which allow one to express 
additional equality conditions on some parts of the structures. In our context, 
labels would simply yield additional conditions on the decomposition generated 
during the normalization step: two formulas sharing the same label should be 
decomposed into formulas with the same set of roots. It could also be interesting 
to relax some of the conditions on the rules, for instance to allow for existential 
variables not occurring as roots in the rules. This is required to encode data 
structures with forward pointers, such as skip lists. It is also unclear whether 
Condition 4 in Definition 10 is required for decidability. Finally, the decision algo- 
rithm could probably be extended to handle arbitrary combinations of disjoint 
and separating conjunctions. 
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Abstract. This paper studies nested sequents for quantified modal log- 
ics. In particular, it considers extensions of the propositional modal log- 
ics definable by the axioms D, T, B, 4, and 5 with varying, increasing, 
decreasing, and constant domains. Each calculus is proved to have good 
structural properties: weakening and contraction are height-preserving 
admissible and cut is (syntactically) admissible. Each calculus is shown 
to be equivalent to the corresponding axiomatic system and, thus, to be 
sound and complete. Finally, it is argued that the calculi are internal— 
i.e., each sequent has a formula interpretation—whenever the existence 
predicate is expressible in the language. 


Keywords: Cut elimination - Nested sequent - Quantified modal logic 


1 Introduction 


Generalisations of Gentzen-style sequent calculi have proven useful for developing 
cut-free and analytic proof systems for many propositional non-classical logics, 
including modal and intermediate ones. Among these generalisations are display 
calculi [2], hypersequents [1], labelled calculi [23,25], and nested sequents [5,12]. 
'They often allow one to give constructive proofs of important meta-theoretical 
properties such as decidability [3], interpolation [9], and automatic countermodel 
extraction [16]. These systems generalise the structural level of Gentzen-style 
calculi in different ways in order to express wider classes of logics. In the case of 
propositional modal logics they can express the structure of various relational 
models. In particular, nested sequents encode tree-like relational models and 
labelled calculi encode graph-like models. In contrast to other formalisms (e.g. 
labelled sequents) nested sequents have the advantage of being internal calculi: 
each nested sequent has a formula interpretation, and thus, such expressions are 
not a major departure from the modal language. 

'Things become more difficult when we add the quantifiers. As is well known 
[7,10], in quantified modal logics (QMLs) we have interaction formulas such as 


CBF :— (Vr A D VxL1A and BF := VazL1A D LIVz A 
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whose validity depends on the interrelations between the domains of quantifica- 
tion (Du) of the different worlds (w) of the model: CBF is valid only if domains 
are increasing—wkv implies D,, C D,—and BF is valid only if domains are 
decreasing—wRv implies Dy 2 Dy. Axiomatically, CBF is derivable from the 
interaction of the axioms/rules for modalities and those for the classical quan- 
tifiers, and BF is independent from them. However, the situation is radically 
different for sequent calculi than for axiomatic calculi. The problem is that BF 
becomes derivable when we add standard sequent rules for the quantifiers to 
a calculus having separated left and right rules for the modalities—i.e., it is 
derivable in all generalisations of Gentzen-style calculi mentioned above. 

To overcome this issue for nested sequents, we employ a formulation tech- 
nique motivated by labelled sequent calculi. One way of making CBF and BF 
independent of the rules for quantifiers within labelled sequent calculi is to extend 
the language with domain atoms of shape y € D(w) whose intended meaning 
is that ‘y belong to the quantificational domain of the label w' [20,25]. In this 
way, one can restrict the rules for the quantifiers to the terms belonging to the 
domain of the label under consideration: 


w:A(y/z),y € D(w)ow:VrA,D'— A ze Dw), => Aw: A(z/x) 
y € D(w),w : YzA, l = A I => A,w:YrA 


z fresh 


As a consequence, CBF and BF are derivable only if we extend the basic calculus 
with rules relating the domains of the distinct labels. 

In this paper, we study nested sequent calculi for QMLs with varying, increas- 
ing, decreasing, and constant domains. Similar to the use of domain atoms in 
labelled sequents, we will formulate our nested calculi by extending the syntax 
of sequents with signatures—i.e., multisets of terms that restrict the applicabil- 
ity of the rules for the quantifiers at that node of the nested sequent—as was 
done in [24] to define hypersequents for Gödel-Dummett logic with non-constant 
domains. In particular, we will use the following rules for the universal quanti- 


fier: 
S(X,y; A(y/x), VxA, l => A} S{X, z; P A, A(z/x)} 


RN, z fresh 
SUX,yVeAT Apo SGI S A,VzA] 


and will add signature structural rules for increasing, decreasing, and constant 
domains (Table 3). 

As a consequence, we will be able to define nested calculi that are equiv- 
alent to the labelled calculi considered in [25, Ch. 6] and [20, Ch. 12.1]. We 
will show that our nested calculi have good structural properties—all rules are 
height-preserving invertible, weakening and contraction are height-preserving 
admissible, and cut is syntactically admissible—and that they characterise the 
quantified extensions of the propositional modal logics in the cube of normal 
modalities. One advantage of the present approach is that nested sequents with 
signatures have a formula interpretation given that the language can express the 
existence predicate E. In this paper, we will consider a language with identity so 
that Ex can be expressed as Jy(y = x) and it need not be taken as an additional 


Nested Sequents for Quantified Modal Logics 451 


primitive symbol; cf. [7]. Thus, our calculi utilise (nested) sequents as expressive 
as the modal language, showing that our calculi are syntactically economical. 

The rest of the paper is organised as follows: Sect. 2 sketches the QMLs con- 
sidered in the paper, and Sect. 3 introduces the nested calculi for these logics. 
Then, Sect. 4 shows that these calculi have good structural properties distinc- 
tive of G3-style calculi, including syntactic cut-elimination, and Sect.5 shows 
that each calculus is sound and compete with respect to its intended semantics. 
Finally, Sect. 6 presents some future lines of research. 


2 Quantified Modal Logics 


-Syntax. Let Rel be a set containing, for each n € N, an at most countable set 
of n-ary predicates R?, R3,..., and let Var be a denumerable set of individual 
variables. The language £ is defined by the following grammar: 


Az= RP(a,...,%n)|%1 = 3| L| A5 A[Vx A|DA (£) 
where r,z;,...,24, €Var and R} ERel. An atomic formula is a formula of 
the shape R7?(xi,...,r4) or £1 = z2. We use the following metavariables: 


x,y,z for variables; P,Q, R for atomic formulas; and A,B,C for formulas. An 
occurrence of a variable x in a formula is free if it is not in the scope of 
Va; otherwise, it is bound. A sentence is a formula without free occurrences 
of variables. The formulas ~A, A ^ B, A V B, JxA, and OA are defined as 
expected. We follow the usual conventions for parentheses. The weight of a 
formula |A| is defined accordingly: | R? (z1,..., 24)| jc = yl |L] 0, 
|A > B| = |A| + |B| + 1, and |VzA| = |OA| = |A| + 1. We use A(y/x) to 
denote the formula obtained from A by replacing each free occurrence of x with 
an occurrence of y, possibly renaming bound variables to avoid capture: if y Z x, 
then (VyA)(y/x) = Vz((A(z/y))(y/x)), where z is fresh. 


-Semantics. A frame is a triple F = (W, R, D), where: 


— W is a non-empty set of worlds; 

— Risa binary accessibility relation defined over W; 

— D is a function mapping each w € W to a possibly empty set of objects Dw 
(the domain of w); we impose that D is such that D, 4 Ø for some v € W. 


We say that F has: 


1. increasing domains if for all w, v € W, wRv implies D,, C Dy; 
2. decreasing domains if for all w,v € W, wRv implies D, 2 D,; 
3. constant domains if for all w,v € W, Dy = Dy; 

4. varying domains if none of the above conditions hold. 


A model M is a frame together with a valuation function V such that for 
each w € W and each R” in Rel, V(w, Rn) C (Dw)", where Dw = U,ew Dy. 
An assignment c is a function mapping each variable to an object in Dy. We 


let c^"? be the assignment mapping x to o € Dy, which behaves like ø for all 
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Table 1. Axioms and corresponding properties 


Name | Axiom Property (w,v,u € W) Name | Axiom Property (w,v,u € W) 

D A20A |Vw3u € W(wRu) 5 0A DIJA Vw, v, u(wRv ^ wRu D vRu) 
T ADA Vw(wRw) CBF |DVzA D YODA | Vw, v(wRv D Dw C Dy) 

B ADUOA |Vw,v(wRv D vRw) BF  VvzLlA 5 DVrzA | Vw,v(wRv 5 Dy 2 Dy) 

4 A2 A | Vw, v, u(uRv ^ vRu 2 wRu) | UI VrA D A[y/z] | Vw,v(Du = D.) 


other variables. Observe that variables are rigid designators in that their value 
does not change from one world to another. 

The notion of satisfaction of a formula A at a world w of a model M under 
an assignment o—to be denoted by o IM A, possibly omitting M—is defined 
as follows: 


oIHM R^(zxi,...,m4) if (o(21),...,0(an)) € V(w, R”) 

c z-y iff o(2) = oly) 

cM L 

cl ADB iff oy% A oro IH B 

o |- VrA iff for each o € Dy, a? FM A 

c X OA iff for each v € W, wRv implies o IM A 


The notions of truth at a world w (I- A), truth in a model M (I-^* A), validity 
in a frame F (F I- A), and validity in class C of frames (C I- A) are defined as 
usual. It is well-known that the formula: 


CBF:— OVrA D VzL1A is valid over frames with increasing domains; 
BF:= YrOA D LIVrA is valid over frames with decreasing domains; 
UI:— VxA D A(y/x) is valid over frames with constant domains. 


Over frames with non-constant domains the valid theory of quantification is 
that of positive free logic instead of that of classical logic. This means that the 
axiom UI is replaced by the weaker axiom UI? := Vy(VxA D A(y/x)). If we 
extend the language with an existence predicate £— whose satisfaction clause 
is o EM Ex iff o(x) € D,—then we have the following weaker form of UI 
that is valid UI* :— VrA A Ey D A(y/z). Over the language £ the formula Ex 
can be defined as dy(y = x), but over an identity-free language the existence 
predicate has to be taken as an additional primitive symbol. This distinction has 
an impact on the calculi introduced in the next section: nested sequents have a 
formula interpretation when € is expressible in the language. 


-Logics. A QML is defined to be the set of all formulas that are valid in some given 
class of frames. In this paper, we consider logics that are defined by imposing 
combinations of the properties in Table 1. We use Q.L for a generic logic and we 
say that a formula is Q.L-valid if it belong to the logic Q.L. The formulas that 
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Table 2. Axiomatisation of Q.K. 


TAUT. Propositional tautologies REF. c=2 
K. O(A 5 B) 5 (LA 5 B) REPL. zx = y A A(x/z) D A(y/z) 
UI’. Vy(VrA D A(y/x)) ND. c4ydU(a 4 y) 


V -COMM. VaeVyA D VyVrA 

V-DIST. Vz(A D B) D (YxA D VzB) MP. If A and A D B are theorem so is B 

V-VAQ. A D VxA, if x is not free in A N. If A is a theorem so is OA 
UG. If A is a theorem so is VrA 


are valid over the class of all frames is called Q.K and it is axiomatised by the 
axioms and rules given in Table 2. We notice that UIE is a theorem of Q.K, see 
[7, Lem. 2.1(iii)]. The additional axioms for the logics extending Q.K are given 
in Table 1. We follow the usual conventions for naming logics—e.g., Q.S4 6 CBF 
is the set of formulas that are valid over all reflexive and transitive frames with 
increasing domains and it is axiomatised by adding axioms T, 4, and CBF to 
Q.K. We will not distinguish between a logic and its axiomatisation. This is 
justified by the following theorem. 


Theorem 1 ([7]). A formula is a theorem of Q.L if and only if it is Q.L-valid. 


3 Nested Calculi for QML 


A sequent is an expression X; l = A where X is a multiset of variables, called a 
signature, and I’, A are multisets of formulas of the language £. The signature of 
a sequent is a syntactic counterpart of the existence atoms used in calculi where 
UI is replaced by UI? or UIF, see [19]. Nested sequents are defined as follows: 


S:= X;l-—A418,15]...,[$] 


A nested sequent S codifies the tree of sequents tr(S), as shown in Fig. 1. 


tr($1) — tr(Sn) 


X; T> A 


Fig. 1. The tree of the sequent X; I' > A,[Si],..., [Sn]. 


Substitution of free variables are extended to (nested) sequents and to multisets 
of formulas by applying them component-wise. The formula interpretation of a 
sequent is defined as follows: 

f(X; Ts A= A&s^Ar»2MA 


rcx 
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where £z is short for the formula Jy(y = x) and an empty conjunction (disjunc- 
tion) is T (L, resp.). To provide a formula reading of nested sequents over the 
identity-free language we could add € to the language or interpret formulas via 
their universal closure. In the latter case, for example, the formula interpretation 
of a sequent would be fm( X; r => A) = Vx € X(AT' 5 V A), and it seems our 
nested calculi would capture the QMLs in [13].! Nonetheless, we believe there 
are independent reasons for studying QMLs over a language containing identity; 
cf. [7,10]. The formula interpretation of a nested sequent is defined recursively 
as: 


«c 


fn(X;P > A, [Si]. [S4) SCA && ^A T2 MA)V 


rcx k 


fm(S;,) 


Rules are based on the notion of a hole {-}, which is a placeholder for a 
subtree of (the tree of) a nested sequent and, thus, allows one to apply a rule at 
an arbitrary node in the tree of a nested sequent. A context is defined as follows: 


C:=X; r> A, {},...,{} TET oss 


In other words, a context C is a nested sequent with n > 0 hole occurrences, 
which do not occur inside formulas and must occur within consequent position. 
We hitherto write contexts as S{-}---{-} indicating each of the holes occurring 
within the context. The depth of a hole in a context is defined as the height of 
the branch from that hole to the root (cf. [3]), and we write Depth(S{-}) > n 
for n € N to mean that the depth of the hole in tr(S{-}) is n or greater. 

We define substitutions of nested sequents into contexts recursively on the 
number and depth of holes in a given context: suppose first that our context is 
of the form S{-} = X; => A, {-}, [Si],..., [Sn] with a single hole at a depth of 
0 and let S’ = Y, II > X,[51],..., [Sp] be a nested sequent. Then, 


$(S' 2X, Y;Hr-A,E[$]...,lS«l[91.---.[8xl 


If our context is of the form S{-} = X; Ir > A,[S,{-}],...,[S,] with a sin- 
gle hole at a depth greater then 0, then we recursively define S{S’} to be 
the nested sequent X; r => A,[Si{S’}],...,[S,]. This definition extends to a 
context S{-}---{-} with n holes in the expected way, and for nested sequents 
$1,..., Sn, we let S(S1] --- {Sn} denote the nested sequent obtained by replac- 
ing, for each 4 € {1,...,n}, the i-th hole {-} in S{-}---{-} with S;. We may 
also write S{S,}{S;}". to indicate S{S|}---{S,} more succinctly. Plugging 0) 
into a hole suggests the removal of the hole; for instance, if S{-}{-} = z; A > 
B,{-}, |z,y, B,C > D,{-}], then S{-}{0} = z; A => B, {-}, |x, y; B,C => D]. 
The rules of the nested calculi for QMLs are given in Table3. The minimal 
calculus NQ.K contains initial sequents, the logical rules, and the rules for iden- 
tity (rule Rig is needed—and is sound—because variables are rigid designators). 
If Q.L is an extension of Q.K as discussed in Sect. 2, then NQ.L denotes the nested 


1 We thank the anonymous reviewer who suggested this latter possibility. 
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calculus extending NQ.K with the rules for the axioms of those logics. Observe 
that to capture axioms D, CBF, BF, and UI we have added structural rules 
instead of logical ones since the former have a better behaviour. 

In [3], Briinnler only considers nested calculi (for propositional modal logics) 
defined relative to 45-complete sets of axioms. This restriction is required to 
ensure that the nested calculi contain all rules required for their completeness. 
Similarly, in the first-order setting, we only consider nested calculi defined rela- 
tive to properly closed sets of axioms, which is a generalisation of 45-completeness 
and takes care of the interaction of B with CBF and BF (for example), ensuring 
the completeness of our nested calculi. 


Definition 1 (Properly Closed). Let L C (D, T, B, 4,5, CBE, BF, UI}. We 
define L to be properly closed iff if all Q.L-frames satisfy X € (4,5, CBE, BF], 
then X € L. We define a nested calculus NQ.L to be properly closed iff (1) L is 
properly closed, and (2) Rsdom € NQ.L iff 5 € L and {CBF, BF} NAL z 9. 


Remark 1. Allnested calculi hitherto considered will be assumed properly closed. 


Given a calculus NQ.L, an NQ.L-derivation of a nested sequent S is a tree 
of nested sequents, whose leaves are initial sequents, whose root is S, and which 
grows according to the rules of NQ.L. We consider only derivations of pure 
sequents, meaning no variable has both free and bound occurrences and each 
eigenvariable (i.e., a fresh variable participating in an RV inference) is distinct. 
The height of an NQ.L-derivation is the number of nodes of one of its longest 
branches. We say that S is NQ.L-derivable if there is an NQ.L-derivation of 
S or of an alphabetical variant of S. We let NQ.L + S denote that S is NQ.L- 
derivable. A rule is said to be (height-preserving) admissible in NQ.L, if, whenever 
its premisses are NQ.L-derivable (with height at most n), also its conclusion is 
NQ.L-derivable (with height at most n). A rule is said to be (height-preserving) 
invertible in NQ.L, if, whenever its conclusion is NQ.L-derivable (with height 
at most n), each premiss is NQ.L-derivable (with height at most n). For each 
rule displayed in Table3, the formulas explicitly displayed in the conclusion are 
called principal, those explicitly displayed in the premisses are called auxiliary, 
and everything else constitutes the contezt. 


4 Properties and Cut-Elimination 


We now show that our nested calculi satisfy fundamental admissibility and 
invertibility properties. Ultimately, we will apply these properties in our proof 
of syntactic cut-elimination. 


Lemma 1 (Generalised Initial Sequents). NQ.L- S(X; A, I => A, A}, for 
any arbitrary C-formula A. 


Proof. By a standard induction on the weight of A. 


Lemma 2. The sequents S{ > x = x} and S{x = y, A(x/z) = A(y/z)) are 
NQ.L-derivable. 
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Table 3. Nested rules for QML 


Initial Sequents: S(X; P, I => A, P} with P atomic 
Logical Rules: 
S{X; T > A,A} S(XG B, > A} S(X; AT > A, B} 
L Sea re UH T TE EE EE Ded 
SIX ASBI > A] 3 SUGTSAASB) S{X;1,P = Ay 
S{X, z; A(z/2), eA, T > A) SUGWD > A AQ/2) Lou 
LV UV. y fresh 
S(X,z VrA,P > A} S(X;D = A,VrA} " 
S(X; DA, > A, [Yi A, H > X]) S(X; D > A |Ø; > A]) 
o 
S{X; DA, > A, Y; I> S} C S{X;T > A, 0A} 


Identity Rules: 


SPX ESE L > A} 2. S(X; P(y/z), v = y, P(zx/z), r => A) us 
SX; Trsa 77 S 


S{X;x = y, P(x/z), T > 4} 
S{X, x,y; £ =y, l => A} S{X z =y > ANY cay > 2} a 
S{X,x;x =y, l > A} S{X;x =y, D > AHY; I > Xj T. 


Replx 


Rules for Propositional Axioms: 


SQGr-o AKA, S{X; A r > A [Y;DA, N > X). SADA r> A} 
S{X; T > A} is S{X; T > A, [Y;DA, H> X] 7 Ss{x;0a4 rsa} € 
S{X; DA, P 2 A, [Y; DA, I > X]) S{X;DA, 2 AHY; ODA, I > X) 
Ba Rs, Depth(S{-}{0})21 
S{X;04,P > A, [Y; I => Sj} S{X; DA, T > AHY; I => X] 
Rules for Domains: 
S{X znr > A Yn > D} y SUG s D- AY n> 5} S(X,i DA), 
S(XoD-A[Yibl-x]) ^ SX; T S AY, >S] SUXGT-A) € 


S{X, x; lT > AHY, x; I > X} 
R5dom, Depth(S{O}{-})>1 and Depth(S{-}{0})>1 
{Kal > AHY; I > X} 


Proof. S{ = x = x} is derivable by applying an instance of rule Ref to the initial 
sequent S{ x = x => x = x). The case of S{x = y, A(x /z) > A(y/z)} is handled 
by induction on |A(x/z)|. We consider only the case where A(z/z) = OB(a/z). 


IH 


S{x = y, BB(v/z) ^ [x = y, B(v/z) > B(v/2)]) 
Siz = y,OB(z/2) > ,[|B(z/2) > Bly/2)} | 
S{x = y, OB(z/2) > [=> B(y/2)]} 
S{x = y, B(2/z) > OB(y/z)} 


Lemma 3. The following RL rule is height-preserving admissible in NQ.L: 


S{X; r => A, L} 
S{X; r => A} 


Proof. By a straightforward induction on the height of the derivation D of the 
premiss. The proof is almost trivial as any application of RL to an initial sequent 
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of an instance of LL gives another initial sequent or instance of LL, respectively, 
and RL permutes above every other rule of NQ.L. 


Lemma 4 (Substitution). The following rule of substitution of free variables 
is height-preserving admissible in NQ.L: 
S{X; r => 4} 
S(y/x){X(y/x); I'(y/v) = Aly/x)} 


Proof. By induction on the height of the derivation D of the premiss. The only 
interesting case is when the last step of D is an instance of RV: 


S{X, zz; I => A, A(22/21)] 
S{X; r > A,Vz A} 


(y/x) 


RN, z2 fresh 


We transform the derivation of the premiss by applying the inductive hypothesis 
twice to ensure the freshness condition is preserved: the first time to replace z2 
with a fresh variable z3 and then to replace x with y. We conclude by applying 
RN with z3 as the eigenvariable. 


Typically, admissible structural rules operate on either formulas (e.g., see the 
internal weakening rule IW below) or nesting structure (e.g., see the Merge rule 
below) in nested calculi. An interesting observation in the first-order setting is 
that admissible structural rules also act on the signatures occurring in nested 
sequents. This gives rise to forms of weakening and contraction for terms, which 
are reminiscent of analogous rules formulated in the context of hypersequents 
with signatures [24]. 


Lemma 5 (Signature Structural Rules). The following rules of signature 
weakening and signature contraction are height-preserving admissible in NQ.L: 
S{X; r => 4} S{X, x, x; I > A} 
aio rn a OW 
S{X, x; r => A} S{X, x; r => A} 


SC 


Proof. By a standard induction on the height of the derivation D of the premiss. 
Proving height-preserving admissibility of SC is trivial as the rule permutes 
above all rules of NQ.L. Proving the height-preserving admissibility of SW is 
also straightforward with the only interesting case arising when D ends with an 
instance of RV with x as the eigenvariable. However, this case is easily managed 
by applying the height-preserving admissible substitution (y/x) to ensure the 
freshness condition for RV is satisfied, followed by the inductive hypothesis, and 
an application of RV. 


As in the setting of first-order intuitionistic logics with increasing and con- 
stant domains (see [14]), we find that our structural rules for domains give rise 
to admissible logical rules generalising the LV rule. Such rules (presented in the 
proposition below) combine the functionality of the associated domain structural 
rules with the LV rule. The LVy; and LV.» rules are instances of reachability 
rules [16,17], which bottom-up operate by searching for terms along edges in a 
nested sequent used to instantiate universal formulas. 
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Proposition 1. The following logical rules for ‘domain-axioms’ and for axiom 
D are admissible in the nested calculi including the appropriate structural rules 
for domains or Rp: 


S(X; A(y/z), VA, I' > A, [Y, y; 7 > X] is S(X; A(y/z), VA, I' => A} 


Vui 
S(X; VxA,T > A, |Y, y; I > X]) id S(X;VxA,T > A) 


S(X,y 0 => A, [Y; A(y/z), VA, I > X]) "T S{X;OA, r > A,[0;A > ]} " 
S(X,y; T > A, |Y ;YxA, I > X]) we S{X;0A,P > A} p 


Proof. The admissibility of LV es from Ref and SW is proven as follows: 


S(X,y; PL => A,[Y; A(y/z), Vx A, H => X] 

S(X,y D > A, [Y, y; A(y/x), Ve A, I => X] 
S(X,y I > A, [Y,y;VcA, I > NJ) il 
S(X,y; DL A,[Y; Vx A, I > MN] 


cbf 


The cases of LVyr and LY, are similar, and the case of Lp follows immediately 
from Rp. 


Lemma 6 (Weakenings). The following rules of internal and external weak- 
ening are height-preserving admissible in NQ.L: 
S{X; r => A} n S{X; r => A} 
S{X; II, r > A, X} S(X; r > A4, [Y; I > X]) 


EW 


Proof. By induction on the height of the derivation D of the premiss. If D ends 
with an instance of rule RY with y the eigenvariable, we apply the (height- 
preserving admissible) substitution rule to replace y with a fresh variable z 
occurring neither in S{X; r => A}, nor in I7, X (in the IW case) or in Y, I, X 
(in the EW case). Then, we apply the inductive hypothesis and an instance of RY 
to conclude S{X; II, r = A, X} in the IW case and S(X; r > A,[Y; I] > X]) 
in the EW case. 


Lemma 7 (Necessitation and Merge). The following rules are height- 
preserving admissible in N.QL: 
S S{X; DP > 4, [Y; Ih > Aj], [Z; I > AJ) 


Nec Merge 


>, [S] S{X; r > A, [Y, Zi Ih, Ho > 41, Ae]} 


Proof. By a simple induction on the height of the derivation of the premiss. 


Lemma 8 (Invertibility). Each rule of NQ.L is height-preserving invertible. 


Proof. The proof is by induction on the height of the derivation. The height- 
preserving invertibility of all rules but LD, RD, RV and RU follows from Lemmas 
5 and 6, and the proof of the remaining cases is standard. 
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Lemma 9 (Contraction). The following rules of left and right contraction are 
height-preserving admissible in NQ.L: 


S{X;T,A, A> A} S{X; T > A, A, A} 
SX: T,A> 4}  “sixraaa 


Proof. By simultaneous induction on the height of the derivation of the premisses 
of CL and CR. We consider only the non-trivial RV case for CR as the remaining 
cases are similar or simpler. Assume that the last step of D is: 


S{X,y;T = A, A(y/z), Vx A} " 
S{X;T => A,VxA,VxA) 


To resolve the case, we apply the height-preserving invertibility of RV, the height- 
preserving admissibility of (y/z) and SC, followed by the inductive hypothesis. 
Finally, an application of RV gives the desired conclusion. 


S{X,y; I => A, A(y/x), Vr A) 
S(X,y, z; I => A, A(y/x), A(z/x)} 
S{X,y, y D A, A(y/x), A(y/2)] 
SUGy I = A, A(y/2), A(y/2)] 

S{X, y T = A, Aly/x)} 
S(X;I => A,VxA} 


Lemma 8 


(y/2) 


Due to the presence of R4 and Rs in specific nested calculi, our cut elimination 
theorem (Theorem 2 below) requires us to simultaneously eliminate a second 
form of cut that acts on modal formulas. We refer to this rule as L-Cut and note 
that it is essentially Brünnler's Y-cut rule [3]. Since the principal and auxiliary 
formulas of R4 and Rs are of the same weight (i.e. both are OA), L-Cut is needed 
to permute the cut upward in these special cases as cuts cannot be reduced to 
formulas of a smaller weight. 


Definition 2 (L-Cut and L-Str). Let NQ.L be properly closed. We define L- Cut 
to be the following rule: 
SG D => AHY I; 2 XA 


L-Cut 


which is subject to the following side conditions: 


- if 4,5 ZL, then n —0; 
- ifA€L and 5 eL, then S{-}{-} is of the form S{X;T => A, C (1001 
- if5€L and AL, then Depth(S{-}{0}") > 1; 


— otherwise, if 4,5 € L, then no restriction on the shape of the rule is enforced. 
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Table 4. Structural rules for propositional axioms 


S[X;D > 4, [Y; I > X]] SX; r> AY Ts 5} o. 
S{X,Y; O, T> A, 5} °° S{X; r > 4, |0; >, [Y; O > X] 
SV; Ih > D, |X; P > AM Yo: Hg > X2} 
S{Y1; Ih > X HYz; Ih > Lo, [X; r > Al} 
S{X; T > A, [Y; Ib > 2, |Z; h > XD). 
SIX Z; Ih, I > A, 51, [Y ; I2 > X2]} 


4 


S5, Depth(S{:}{0})21 


B 


We define L-Str to be the following rule: 


S{Y1; Ih > 21, [X; T > AHY; H2 > X2} 
S{Y1; Ih > 24 HYs; Ih > X2, [X; r > Al} 


L-Str 


which is subject to the following side conditions: 


- if 4,5 Z L, then S{-}{-} is of the form S{X; r => A, {-},{-}}; 

- ifA€L and 5 ZL, then S(-M-) is of the form S{X;T > A, {-},{Sif{-}}}; 
- if5 €L and AL, then Depth(S{-H0}) > 1; 

— otherwise, if 4,5 € L, then no restriction on the shape of the rule is enforced. 


Lemma 10 (Special Structural Rules). If NQ.L contains the rule Rx for 
the propositional axiom X, then the corresponding structural rule from Table 4 


is admissible in NQ.L. Moreover, L-Str is admissible in NQ.L. 


Proof. We argue the Sg case by induction on the height of the given derivation; 
the remaining cases are considered in the appended version of this paper [18]. 
We only consider the Roz and Rsdom cases of the inductive step as the remaining 
cases are simple or similar. 
S{Z; Ih => X1, |X, x; l > A, [Y, x; To M) 
S{Z; IT, > AA, [X; P > A, [Y 2; Ih => P» 
S(Z, Y, 2; Ili, Ho > ^A, M5, [X; r => Aj} 


Ub f 


B 


As our nested calculi are assumed to be properly closed, we know that if NQ.L 
contains Rg and Ryz, then it must contain Rebs, showing that we can apply IH 
first and then Rep as shown below. 
S{Z; Ih > 3, [X, xz; I > A,[Y, x; Ho > MJ) 
S{Z,Y,«; Ifi, Mo => AA, M5, [X, x; r= A] 
S{Z, Ya: Ili, II» > AA, M5, [X; I > Aj} 


IH 


Ref 


Last, we consider an interesting R5dom case: 
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Z; Th, > X1, |X; D > Aj, [X2, m; I> => Aj] [S{Y, x; To > X2} 
Z; Ih > 31, [X13 D > Ar, [Xo, 2; DS > Aol], [S(Y ; He > X5] 
Z, Xo, x; Ih, Ty > X1, 42, [X1, D > 41], [S{Y; He > 5) 
To resolve the case, we apply the inductive hypothesis, followed by the height- 
preserving admissible rule SW. We apply the SW rule n — 1 times adding the 
variable x along the path from the root to Y,x; Iz = 35, and then the Ref 
rule n times to delete the n — 1 copies of x up to the root. We may apply Ro; 
as our nested calculi are properly closed, that is, B, BF € L only if CBF c L. 
Z3 1, > 31, |X; D > Aj, [X2, 0; I > Ag] [S{Y, x; Ho > X3] 
Z, Xə, x; Ih, D5 > X1, Ao, |X, I3 > Ai], [S{Y, xz; Ho > X2}] 
Z, Xə, x; Ih, 5 > X1, 42, |X, I3 > A4] [S{Y, x; Ho > X2}] 
Z, Xə, x; Ih, 5 > X1, Ao, |X, D > Ai], [S{1Y; He > X2% 


Rsdom 


B 


SW (n — 1 times) 


Rev (n times) 


In our cut-elimination theorem below, we provide a procedure to eliminate 
an additive (i.e. context-sharing) version of cut as in the work on nested sequents 
for propositional modal logics by Briinnler [3]. We note that we could have con- 
sidered an equivalent, multiplicative (i.e. context-independent) version—like the 
cut rule shown eliminable in the tree-hypersequent systems of Poggiolesi [22|— 
however, we find the additive version of the rule to be simpler as we can forgo 
considerations of how to fuse nested sequents of a different form.? 


Theorem 2 (Cut). L-Cut and the following rule of Cut are admissible in NQ.L: 


S{X; r => A,A} S{X;A, r => A} 
S{X; r => A} 


Cut 


Proof. We consider an uppermost instance of L-Cut or Cut with A = OB and A 
the cut formula of each rule, respectively. We argue by simultaneous induction 
on the lexicographic ordering of pairs (|A|, hı + h2), where |A| is the weight of 
A and h; (hə) is the height of the derivation Dı (D2) of the left (right) premiss 
of the instance of L-Cut or Cut under consideration. 

Let us first consider the case where the weight of A is zero, i.e. A is a formula 
of the form R?(z1,...,z4), L, or x = y. The first two cases are standard, so we 
consider the case when A is of the form x = y. We suppose first that x = y is 
not principal in the left premiss of Cut. If the left premiss is an initial sequent or 
an instance of LL, then the conclusion will be as well, so we may assume that 
the left premiss was derived by means of another rule. We suppose w.l.o.g. that 
the left premiss was derived by means of a unary rule as the binary case for L > 
is similar, meaning our Cut is of the following form: 


Si[X3; 71 > 41, £ = y) " S2{X2; £ = y, I5 > Ao} e 
S{X; rT > A,x =y} S{X;x =y, T => A} o l 
ut 

S{X; r => A} 


? Nested sequents and tree-hypersequents are equivalent formalisms; cf. [3, 22]. 
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As shown below, we can resolve the case by applying the height-preserving invert- 
ibility of R1 to the right premiss of Cut, applying Cut with the premiss of R1, 
and then applying R1 after (note that R1 is applicable after the Cut since x = y 
is neither auxiliary nor principal in R1 by the shape of the rules in NQ.L). 


S2{X2; £ = y, I5 — Ag} 
S{X;x =y, l > A} 
Si(Xyi D > Aix =y} = e y zum 8 
Sı{X1; I, > Ai} u 
S{X;T > A} 


R2 


t 


R1 


If we suppose now that x = y is principal in the left premiss of Cut, then the left 
premiss must be an initial sequent of the form S{X, x = y, l > A,x = y}. We 
have cases according to whether x = y is principal or not in the right premiss. 
If it is principal then the right premiss is either (i) an initial sequent or (ii) 
the conclusion of an instance of a rule in (Repl, Replx, Rig}. In case (i) the 
conclusion of Cut is an initial sequent and in case (ii) the conclusion of Cut is 
identical to the conclusion of its right premiss, which is cut-free derivable. Else, 
the Cut is of the form shown below, where two copies of x = y must occur in 
the right premiss since the contexts must match in Cut. 


S'(X;x-yr-wyl'-W) 
S(X;iz2 yD-Azs-y) SUxGz-yr-wl4). 
S{X;x =y, l > 4} 


R2 


ut 


Applying the height-preserving admissible rule CL to the right premiss of Cut 
gives the desired conclusion. 

Let us suppose now that the weight of the cut formula is greater than zero. 
We also assume that the cut formula is principal in both premisses of Cut and 
consider the interesting cases when A = VxB and A = OB as all other cases 
are standard, see |3, Thm. 5]. If the cut formula A = VzB is principal in both 
premisses of Cut, then our Cut is of the following form: 


S{X,y, z; I => A, B(y/x)} " S{X, z; B(z/z), VrB,I' => A} : 
S{X, z; I > AVxB) S{X,z;YzB, r > A} " 
ut 
S{X,z; I => 4} 


We first shift the Cut upward by applying the height-preserving admissibility of 
IW to the left premiss of Cut, and then apply Cut with the premiss of LV as 
shown below, thus reducing hı + hg. 
S{X,y, z; T A B(y/z)) 
S{X, z; I > A, Vr B} ae 
S{X, z; B(z/z), D > A,VrB} S{X, z; B(z/z),VvxD,I' => A} 
S{X, z: B(z/z),T > A) m 


t 


Let us refer to the above proof as D. We now reduce the weight of the cut formula 
by applying Cut as shown below, giving the desired conclusion. 
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S{X,y, z; T = A, B(y/z)) 
S{X,2z,2;0 => A, B(z/x)} 
SC 
S(X, z; I A, B(z/x)} D 
S{X, z; r > 4} 

We now assume that the cut formula A = OB is principal in both premisses 
and we may assume w.l.o.g. that the cut is an instance of L-Cut. We consider the 
case where the right premiss of L-Cut is an instance of Rr and the left premiss of 
L-Cut is an instance of RO. The remaining cases are proven in a similar fashion. 
The trick is to use the height-preserving admissibility of the special structural 
rules (see Lemma 10), namely, the Sr rule. Our L-Cut is of the following form: 


(z/y) 


Cut 


SQGT > Alb BY > E. S{X; OB, B, > AY; HB Mi > Xij p 
S{X; Tr > A, OBHY; I; > Xi} S{X; OB, T => A4 Y; OB, IM; > Xia 
S{X; r > AHY; Ti > Diya 
Let Dı and Də denote the derivation of the left and right premiss of L-Cut, 
respectively. To resolve the case, we first apply the height-preserving admissible 
rule IW to the conclusion of D, yielding the derivation D3 shown below top. We 
then apply L-Cut to the conclusion of D3 and the premiss of Dz (where hy + ha 
is strictly smaller), giving the second derivation shown below, which we refer to 
as D4. Finally, as shown in the third derivation below, we can apply Cut to B 
(which has a strictly smaller weight than OB), and derive the desired conclusion 
after applying a single application of the admissible rule S7 to the left premiss. 


T 


L-Cut 


S{X; T => A, p; 2 Bs Mi > I 
D3 S{X; I > AUBHY; Il; 2 Xia 
S(X; B, T > A,UBMHY; Il; 2 Xia 


IW 


L-Cut 


D D3 S(X; OB, B, D > AHY OB, IH; > Xia 
i SUGB,P S ANY > X04 


S{X; r > A, BHY; IL > Si}, D4 
S{X; r > AMY; IL > Ti}, 


5 Soundness and Completeness 


Theorem 3 (Soundness). If NQ.L I- S then fm(S) is Q.L-valid. 


Proof. We first note that nested application of rules is sound: for each context 
S{-},if A D B is Q.L-valid then fm(S{A}) D fm(S{B}) is Q.L-valid. This can be 
shown by induction on the depth of the context S{-}; see [3, Lem. 3] for details. 

'The Q.L-soundness of the rules of NQ.L is proved by induction on the height 
of the derivation. The cases of initial sequents and of propositional rules of 
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NQ.L are given in [3, Thm. 1]. We present the cases of LV, Ror, Rig, and 
Rsdom, all other cases being similar. If fm(X, z; A(z/z), Vr A, I' => A) is Q.L- 
valid, then the Q.L-validity of £m(X,2; VrA,I'- A) follows by the soundness 
of the axiom UI*. If £fn( X, x; I > A, [Y, z; II > XJ) is Q.L.CBF-valid, then the 
formula fm(X, xz; I > A,[Y; IJ > X]) is as well because frames for Q.L.CBF have 
increasing domains. The Q.L-validity of fm(S{X;« = y, > AHY; I > X] 
follows from that of fm(S{X;a = y, l > AHY; x = y, II = X}) since variables 
are rigid designators—i.e., the validity of NI := z = y D O(a = y) and that 
of ND allow identities to be duplicated up and down the accessibility relation, 
respectively. Finally, we argue that Rsaom preserves Q.L-validity when either 
5,CBF cLor 5,BF c L. We show this holds for the following one-context 
rules from which Rsdom is NQ.L-derivable (if x is in the signature of a non-root 
node, these rules bottom-up copy « into the signature of another non-root node): 


SX, xz; D > Al, [Y, xz; H > x] S{[X, xz; I > A, [Y, z; H > YN] 
SX, n r > A, YSS) ^" SX, aT S A, [YH > S]} 
S{[Y, x; 7 > X, [X, xz; r => Ajj} 
S{[Y; II > X, [X, xz; r > Al} 


Rsdomg 


Rsdom3 


If the premiss of one of these rules is Q.L-valid, then so is the respective con- 
clusion since for 5-frames with increasing or decreasing domains the points sat- 
isfying X,z; Il' => A and Y; I => X are mutually accessible and have the same 
domain. 


Theorem 4 (Completeness). If fm(S) is Q.L-valid, then NQ.L - S. 


Proof. We show that Q.L F fm(S) implies NQ.L + S; the theorem follows by 
the completeness of Q.L (Theorem 1). We proceed by induction on the height 
of the derivation of fm(S) in Q.L. The NQ.L-admissibility of rule MP/UG/N 
is a corollary of Theorem 2/Lemma 6/Lemma 7. We consider only axioms 
UI? (assuming y ¢ A for simplicity), ND, and CBF. The cases of axioms 


REF and REPL follows from Lemma 2 and the other cases are similar. 
VrA-—.y: A(y/zx), VvrA > A(y/x)] A. 


y; 
zd Li E zA => [y; VrA => A(y/x)] " 
y; A(y/z), Vx A = A(y/x) ae r=y>r=y|r=y=>] ME y;OvxA > NrA => A(y/v) ^ d 
y; VrA => A(y/z) m =x=y,|e=y=] ee y;OvrA > [= A(y/x)] 
y; = VxA D A(y/x) a zzy-[-crZzy| = y;Ov2A => OA(y/x) 
=> Vy(VxA D A(y/x)) cA#y=> O(a Fy) LIVrA > VzL1A 


6 Conclusion and Future Work 


We provided a uniform nested sequent presentation of quantified modal logics 
characterised by combinations of fundamental properties. Due to the inclusion 
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of equality in the language of the QMLs considered, our nested calculi permit 
a formula translation by means of the (definable) existence predicate. As a con- 
sequence, our systems possess both a good degree of modularity and utilise a 
language as expressive as that of each logic, yielding more economical systems in 
contrast to the labelled calculi given for the same QMLs, which employ a more 
expressive language [20,25]. Beyond formula interpretability, our nested calculi 
satisfy fundamental properties such as the admissibility of important structural 
rules, invertibility of all rules, and syntactic cut-elimination. 

In future work, we aim to investigate constructive proofs of interpolation 
properties with our nested calculi (cf. [9,15]), to use (variations of) our nested 
calculi to identify decidable QML fragments, as well as extend the present app- 
roach to QMLs with non-rigid designators and, possibly, definite descriptions 
based on A-abstraction (see [10]) as was done in [21] for labelled sequent calculi. 
Another open problem is to give nested sequents with a formula interpretation 
for QMLs where the existence predicate is not expressible; we conjecture that this 
might be achieved by using the ‘universally closed nesting’ defined by Brünner 
for free logics [4]. 

We also aim to generalise our approach by employing a wider selection of 
propagation rules [6,8] and reachability rules [16,17] in our systems. As shown 
in various works [11, 16], diverse classes of logics characterised by Horn properties 
can be supplied cut-free nested calculi by utilising logical rules that propagate or 
consume data along paths within nested sequents specified by formal grammars. 
Applying this technique, we plan to see if we can capture a much wider class 
of QMLs in a uniform and modular fashion, and plan to investigate admissibil- 
ity and invertibility properties as well as cut-elimination in this more general 
setting. It would also be worthwhile to examine the relationship between our 
nested calculi and other calculi for QMLs; e.g., we could study the computa- 
tional relationship between our nested calculi and the labelled calculi for QMLs, 
showing how proofs can be translated and determining complexity bounds for 
the relative sizes of proofs. 
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Abstract. The analytic technique for proving completeness gives a very 
operational perspective: build a countermodel to the unproved formula 
from a failed proof attempt in your calculus. We have to be careful, how- 
ever, that the proof attempt did not fail because our strategy in finding 
it was flawed. Overcoming this concern requires designing a prover. We 
design and formalize in Isabelle/HOL a sequent calculus prover for first- 
order logic with functions. We formalize soundness and completeness 
theorems using an existing framework and extract executable code to 
Haskell. The crucial idea is to move complexity from the prover itself to 
a stream of instructions that it follows. The result serves as a minimal 
example of the analytic technique, a naive prover for first-order logic, 
and a case study in formal verification. 


Keywords: First-Order Logic - Prover + Completeness * Isabelle/HOL 


1 Introduction 


We present a sound and complete (naive) prover for classical first-order logic 
with functions. There are several ways to prove that a proof system for first- 
order logic is complete. Gódel's approach [14], later refined by Henkin [15] is now 
known as the synthetic way. This technique abstractly builds maximal consistent 
(and saturated) sets of formulas as a bridge between the proof system and the 
semantics. This is a useful technique and has been used in formalizations of the 
completeness of axiomatic systems for first-order logic [9] and epistemic logic [8], 
a tableau system for hybrid logic [7] and more. Unfortunately, as pointed out by 
Blanchette et al. [5] in the context of formalization in Isabelle/HOL, there is no 
useful connection between this technique and the execution of an actual prover. 

The technique by Beth and Hintikka [17] offers a more operational perspec- 
tive. Here, we consider unsuccessful proof attempts in the given calculus and 
build countermodels from these. Such a countermodel refutes the validity of the 
formula that we tried to prove. To build such a countermodel, however, we must 
ensure that the proof attempt was sufficiently sophisticated and, essentially, that 
it would have found a proof if one existed. In proving this property of the proof 
strategy, we are effectively designing a prover based on the calculus. This means 
that, in practice, we can extract a prover from our completeness proof. 


© The Author(s) 2023 
R. Ramanayake and J. Urban (Eds.): TABLEAUX 2023, LNAI 14278, pp. 468-480, 2023. 
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Blanchette et al. [5] have made this very concrete by developing a framework 
in Isabelle/HOL for analytic completeness proofs. Their paper includes a first- 
order logic example, but their entry in the Archive of Formal Proofs [3] only 
includes a propositional example. In this paper, we describe a naive prover based 
on the framework, designed to be as simple as possible. This augments the 
framework with a concrete first-order logic example showcasing the analytic 
technique. Moreover it serves as an introduction to automated reasoning by 
making explicit the requirements for completeness of a prover for first-order logic. 
It also serves as a small case study for formal verification in a proof assistant. 

Then the question remains of how to design this proof strategy. We want it 
to be sufficiently intricate to be both sound and complete, but we also want it 
to be simple enough that we can reasonably demonstrate these properties (in a 
proof assistant). We might follow something like Ben-Ari’s tableau algorithm [1] 
(essentially sequent calculus), but we discover that it is surprisingly complex. 
There are nodes with labels, branches with markings, and concerns about which 
kinds of formulas to process first, later or even together. Instead, we will design 
a prover with minimal structure that tries to apply sequent calculus proof rules 
over and over, in the belief that we will eventually apply the right ones. 

The problem changes from working out which rule to apply in a given situa- 
tion, to designing a stream of instructions that will cover whatever we encounter 
and embedding enough structure into these instructions to keep the prover itself 
elementary. This perspective shift greatly simplifies the prover: the rules are 
indexed by formulas and specify exactly what the prover should do in each case. 
Moreover, the nodes in the proof tree are simply sequents, no additional state 
is needed. The rules apply straightforwardly to these sequents to form the next 
nodes of the tree. This simplifies the completeness proof and makes it a non- 
issue to handle first-order logic with functions, which can otherwise require extra 
consideration. 

The formalization of the (naive) prover is available in the Archive of Formal 
Proofs [11]. It consists of less than 900 lines of Isabelle/HOL listings, the majority 
of which are proofs that are not included when exporting Haskell code for the 
prover. A short, manually written Main.hs file augments the exported code 
with a command line interface and pretty-printed output. The Isabelle theory 
Export.thy includes instructions on how to export and compile the Haskell code 
(which closely resembles the programs listed here). The code in this paper is 
exported to LATEX by Isabelle from the formalization, but differs slightly in 
names and layout for presentation reasons. Likewise, to focus on essentials, we 
often omit the technical commands needed in the formalization. 


2 Related Work 


Blanchette [2] gives an overview of a number of verification efforts including the 
metatheory of SAT and SMT solvers, the resolution and superposition calculi, 
and a series of proof systems for propositional logic [18]. The aim is to develop 
a methodology for formalizing modern research in automated reasoning and 
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the present work points in this direction with a minimal example of a formally 
verified prover for classical first-order logic based on the sequent calculus. 

The prover is based on the abstract completeness framework by Blanchette, 
Popescu and Traytel [4,5]. Their formalization contains a simple example prover 
for propositional logic, while their paper contains the ideas for a (naive) prover 
for first-order logic. Our prover realizes these ideas by formalizing them in 
Isabelle/HOL. Instead of a prover, Blanchette et al. [5] used the framework 
to formalize soundness and completeness of a calculus for first-order logic with 
equality in negation normal form. From and Jacobsen [10,12] used the framework 
to formalize a much less naive prover for first-order logic based on the SeCaV 
proof system [13]. Instead of indexed rules, they employ “multi-rules” that apply 
to every applicable formula in a sequent at once and they store more than just 
the sequent at each node in the proof tree. Their prover performs better, but 
the formalization does not enjoy the simplicity of the naive prover, with close to 
3000 lines of Isabelle/HOL against 900 lines. 

The indexed rules of the naive prover automatically yield readable proofs. In 
the same vein, THINKER by Pelletier [21] is a natural deduction proof system 
and attached automated theorem prover, designed for “direct proofs” , as opposed 
to proofs based on reduction to a resolution system. MUSCADET by Pastre [20] 
is another automated theorem prover based on natural deduction. Neither of 
these has been formally verified. Schulz and Pease [24] focused on readable code 
rather than proofs. They have developed a saturation-based theorem prover in 
Python for first-order logic to teach automated theorem proving by example. 
They have not formally verified soundness and completeness, but our projects 
are similar. 

In the world of formalization, Schlichtkrull et al. [23] formalized an ordered 
resolution prover for clausal first-order logic in Isabelle/HOL. Jensen et al. [16] 
formalized the soundness, but not the completeness, of a prover for first-order 
logic with equality in Isabelle/HOL. Villadsen et al. [25] verified a simple prover 
for first-order logic in Isabelle/HOL aiming for students to understand both the 
prover and the formalization. That work simplified a formalization by Ridge and 
Margetson [22]. Neither of the last two provers support functions. 


3 Isabelle/HOL Overview 


We give a quick overview of the Isabelle/HOL features used in the present paper. 
Nipkow and Klein [19, Part 1] give a more complete introduction. 

The datatype command defines a new inductive type from a series of con- 
structors, where each can be given custom syntax. The natural numbers are 
built from the nullary constructor 0 and unary Suc. The constructors True and 
False belong to the built-in type bool. The usual connectives and quantifiers 
from first-order logic (—, V, etc.) are available for bool, as well as if-then-else 
expressions. The parametric ‘a list is the type of lists with elements of type ‘a. 
The type variable ‘a stands in the place of another type. Lists are built from 
[, the empty list, and #, an infix constructor that adjoins an element to an 
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datatype tm datatype fm 
= Var nat (#) = Falsity (L) 
| Fun nat (tm list) (1) | Pre nat (tm list) (3) 
| Imp fm fm (infixr — 55) 
| Uni fm (V) 


Fig. 1. The first-order logic syntax in Isabelle/HOL. 


existing list. The notation |a, b, c] is shorthand for these primitive operations. 
The function set turns a list into a set of its elements, map applies a given func- 
tion to every element of a list, @ appends two lists, concat flattens a list of lists 
and upt j k creates the list [j, j + 1,..., k — 1]. We use [c] for list membership 
and [+] to remove all occurrences of a given element from a list. The two types 
‘a set and 'a fset form sets and finite sets respectively. The usual operations are 
available on sets. On finite sets they are typically prefixed by f as in fimage. 
'Two additional types are important: sum types with the two unary constructors 
Inl and Inr, and option types constructed by the unary Some or nullary None. 
Constructors can be examined using case expressions. 

'The codatatype command defines a new coinductive type from a series of 
constructors. The canonical example is the type ‘a stream of “lists with no base 
case”, i.e. infinite sequences. The functions shd and stl return the head and tail 
of a stream, respectively, while flat transforms a stream of lists into a stream of 
all the elements in the constituent lists, sset returns a set of its elements, smap 
applies a function to every element, !! returns the element at a given index and 
sdrop-while removes a prefix of a stream that satisfies a given predicate. The 
stream nats contains all natural numbers. 

The type A — B denotes a function from A to B. Type signatures are 
specified after “::”. Types can be shortened using type synonyms. The term 
UNIV stands for the set of all values of a given type. In this paper, both — and 
= are used to form new definitions. Function application resembles functional 
programming languages: f(x,y) is written as f x y and partial application is 
allowed. Anonymous functions are built using A-expressions, e.g. An. n + n for 
f(n) 2 n^ n. 

A locale in Isabelle/HOL fixes a number of terms, then assumes a num- 
ber of properties about those terms. The meta-logical implication => separates 
premises from conclusions in each assumption. The keyword and acts as a sep- 
arator. A locale for a group, for instance, fires a set and a binary operation and 
assumes the group axioms. 


4 First-Order Logic in Isabelle/HOL 


Figure 1 contains a formalization of the syntax of first-order logic as a datatype 
in Isabelle/HOL. The syntax is deeply embedded as an object in the meta-logic 
so we can manipulate it. We use de Bruijn indices [6] to represent binding: each 
variable n is bound by the quantifier that is n quantifiers away, moving outwards. 
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type-synonym ‘a var-denot = nat > ‘a 
type-synonym ‘a fun-denot = nat => ‘a list > 'a 


type-synonym ‘a pre-denot = nat => 'a list > bool 
8: 'a nat — 'a) — nat — 'a 

(tgs)0=t 

(tg s) (Sucn)=sn 


(-, -) : ‘a var-denot = 'a fun-denot > tm => ‘a 
(E, F) (#n)=En 
(E, F) (ff ts) = F f (map (E, F) ts) 


[-, -, -] 5 ‘a var-denot = ‘a fun-denot > 'a pre-denot — fm = bool 
[5 -, -] L = False 

[E, F, G] (P ts) = G P (map (E, F) ts) 

In n Te 7 G5 7 GI p — Ee, P. GL o) 


Fig. 2. The semantics of first-order logic in Isabelle/HOL. 


A term t, type tm, is then either a variable #n for some de Bruijn index n (a 
natural number) or a function application ff [...] for some natural number f 


representing the function name and list of argument terms. [...]. A formula p, 
type fm, is the constant for falsity, L, a predicate P [...] for some natural 
number P representing the predicate name and list of argument terms [...], an 


implication p; —— p» between two formulas p;,p2 or a universally quantified 
formula Vp. 

Figure2 contains a formalization of the semantics in Isabelle/HOL. A model 
consists of three denotations: one each for variables (E), function symbols (F) 
and predicate symbols (G). Terms evaluate to a member of the domain, here 
represented as a type variable, while formulas evaluate to truth values in the 
higher-order logic. We can use the connectives and quantifiers of Isabelle/HOL 
to interpret the first-order logic syntax. For the universal quantifier, we modify 
the environment such that we evaluate the quantified variable 0 as every element 
of the domain. 

Figure 3 lists the rules for instantiating a quantifier with a term without cap- 
turing any free variables in the process. The operation lift-tm increments every 
variable in the term t by one. The operation sub-tm s t applies the substitution 
s to every variable in term t. The operation sub-fm s p applies the substitution s 
to the formula p, taking account of binders. In the case for Vp, the substitution 
is augmented using g to preserve the bound variable #0 in p and to lift the 
variables in the output of the substitution s to point past the binder. We write 
the instantiation of a quantified formula Vp with a concrete term t as (t)p. The 
notation (f) represents the simultaneous substitution that maps variable 0 to t 
and every other variable n 4- 1 to n to account for the removed binder. Figure4 
lists the operations for generating a variable fresh to a list of formulas, i.e. one 
that does not appear in any formula in the list. 
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lift-tm :: tm => tm 
lift-tm (#n) = #(n+1) 
lift-tm (tf ts) = tf (map lift-tm ts) 


sub-tm :: (nat > tm) > tm > tm 
sub-tm s (##n) = sn 

sub-tm s (tf ts) = tf (map (sub-tm s) ts) 
sub-fm :: (nat — tm) > fm => fm 

sub-fm - L = L 

sub-fm s (£P ts) = $P (map (sub-tm s) ts) 

sub-fm s (p —> q) = sub-fm s p —9» sub-fm s q 
sub-fm s (V p) = V (sub-fm (#0 $ Xn. lift-tm (s n)) p) 


(-) : tm => fm => fm 
(i) = sub-fm (tg #) 
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Fig. 3. The simultaneous substitution and quantifier instantiation in Isabelle/HOL. 


vars-tm :: tm => nat list 
vars-tm (#n) = [n] 
vars-tm (f- ts) = concat (map vars-tm ts) 


vars-fm :: fm => nat list 

vars-fm .L — [] 

vars-fm (- ts) = concat (map vars-tm ts) 
vars-fm (p —> q) = vars-fm p Q vars-fm q 
vars-fm (V p) — vars-fm p 


vars-fms :: fm list — nat list 
vars-fms A = concat (map vars-fm A) 


maz-list :: nat list > nat 
maz-list || = 0 
maz-list (x # xs) = max x (maz-list zs) 


fresh :: fm list > nat 
fresh A = Suc (maa-list (vars-fms A)) 


Fig. 4. The rules for generating a fresh variable in Isabelle/HOL. 


type-synonym sequent = fm list x fm list 


SC :: 


(‘a var-denot x ‘a fun-denot x 'a pre-denot) — sequent — bool 


sc (E, F, G) (A, B) = ((Vp [e] A. [E, F, G] p) — (34 [E] B. [E, F, G] 4)) 


Fig. 5. The syntax and semantics of sequents in Isabelle/HOL. 
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AFB 
IDLE -F p AXIOM P ts ^, IF iP ts [€] A AND £P ts [c] B 
AFB [=z] L 
FisL IF .L [c] A FLSR t [c] B 
AF B AFB 
A [+ (p — 4) F- B A [+] (p — q)F B 
ee [+] (p q-p* q#A [+] (p q) eo 


AFB 


p#tAtaq# B|-|(»— a) » 


IMPR p q ALB (p — q) [c] B 
(0pX AFB 
UNIL t p ALB IF Vp [e] A 
UNIR p At (#fresh(AQB))p # B [+] Vp ie Vade 


AFB 


Fig. 6. The rules of the sequent calculus presented visually. 


The calculus works on two-sided sequents, of type sequent, which are repre- 
sented as pairs of lists of formulas (cf. Fig. 5). We can think of the left-hand side 
as assumptions and the right-hand side as conclusions. Moreover, the left-hand 
side is conjunctive, so we can assume all of the formulas there to be true, while 
the right-hand side is disjunctive, so we only need to prove one. 

Sequent calculus has the benefit of the subformula property: to prove a for- 
mula we only need to look at its subformulas. Contrast this with axiomatic 
systems using modus ponens (from p —> q and p infer q), where we need to 
guess a suitable “lemma” formula. However, a sequent calculus may still leave 
too much freedom for comfort. In particular, we want to remove the need for 
structural rules, since these are too applicable. 

Figure6 lists the underlying rules of the prover in a somewhat idiosyncratic 
manner. The reason will become apparent later. Each rule has a name to the left 
of the horizontal line. Below the horizontal line is the conclusion and above are 
the premises, if any. Any side conditions are given to the right of the line. Note 
that each rule is indexed by the exact (sub)formulas it works on: the rule AXIOM 
0 [| is distinct from the rule AXIOM 1 [] etc. This rigidity means that we do not 
need any structural rules. It also means that there is no pattern matching in 
any of the rules and that the three primary operations are membership checking 
([€]), removal of concrete formulas ([+]) and adding new formulas to a list (72). 

The IDLE rule appears for technical reasons (there should always be an 
enabled rule). The AXIOM rule is indexed by a predicate symbol P and argument 
list £s and checks whether such a predicate appears on both sides of the sequent: 
if so, the rule applies and there are no child sequents. The FLSL rule checks if L 
occurs among the assumptions, in which case the sequent is proved. The FLSR 
rule, when it applies, drops all occurrences of L from the conclusions, since we 
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can never prove any of them. The IMPL and IMPR rules decompose implications 
on either side of the sequent in the standard way. The UNIL rule is indexed by 
a term t and a formula p. If Vp occurs on the left, then the rule instantiates it 
with t, adding (t)p to the left-hand side of the child sequent. The UNIR rule 
is only indexed by a formula p. When Vp occurs on the right, it is instantiated 
with a fresh variable and removed. 

In order to obtain a prover based on the rules of the sequent calculus we use 
the abstract completeness framework for Isabelle/HOL developed by Blanchette, 
Popescu and Traytel [3,5]. This framework formalizes the mechanics of sequent 
calculus and semantic tableaux provers in an abstract way that we can instantiate 
with concrete rules. There are two possible perspectives on the framework: (i) 
the proof perspective, where we use the framework to obtain theorems about 
proof trees built from our rules and (ii) the code generation perspective, where 
we use the framework to generate an executable prover. In this paper, both 
perspectives come into play but the two perspectives can be used on their own. 

The framework needs: a stream of rules, a function describing their effect, a 
proof that some rule is always enabled and a guarantee that rules are persistent. 
We formalize the calculus in Isabelle/HOL as a datatype of rules, rule, with 
constructors Idle, Axiom, FlsL, FlsR, ImpL, ImpR, UniL and UniR, and an effect 
function, eff, that encodes the relationship between premises and conclusions in 
the manner expected by the framework. 


5 Soundness and Completeness 


Soundness requires that we do not prove a sequent without having proper rea- 
sons to do so. It is a local property of our calculus that we can easily check. 
Completeness, on the other hand, requires that we have sufficient rules avail- 
able to prove every valid formula. Thus, proving completeness requires a more 
involved strategy. 


Lemma 1 (Local soundness). If all premises of a rule are valid, then its 
conclusion is valid. In Isabelle, if eff r (A, B) — Some ss and V A B. (A, B) 
le| ss — (Y (E :: - => 'a). sc (E, F, G) (A, B)), then sc (E, F, G) (A, B). 


Proof. By induction on the call structure of eff. The induction hypothesis then 
applies to the sequents produced by eff. All cases except UNIR are trivial. For 
UNIR, by the induction hypothesis, the premise holds under all variable deno- 
tations: no matter the assignment to the fresh variable. This justifies forming 
the universal quantifier and since the fresh variable does not appear elsewhere 
in the sequent, the semantics there are unaffected. 


Theorem 1 (Prover soundness). If a proof tree (attempt) is well formed and 
finite, then the root sequent is valid. In Isabelle, if tfinite t and wf t, then sc (E, 
F, G) (fst (root t)). 


Proof. By induction on the finite proof tree using Lemma 1. 
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locale Hintikka = 

fixes A B :: fm set 

assumes 
Basic: {P ts € A= > {Pts € B => False and 
FlsA: L ¢ A and 
ImpA:p —> q E€ A= pEBVqE Aand 
ImpB:p — q € B= pE A^q EB and 
UniA: V p € A => Vt. (t)p € A and 
UniB: Vp € B = Jt. (pc B 


MA = [#, t, AP ts. £P ts € A] 


Fig. 7. Formalizations of Hintikka sets and the countermodel M A. 


For completeness we must now show that, for every valid sequent, the prover 
finds a proof. We do so contrapositively: if the prover does not find a proof, 
we produce a countermodel to the sequent. To do so, we characterize saturated 
escape paths syntactically using Hintikka sets and show that such sets induce 
countermodels. Figure characterizes Hintikka sets in our setting. There are 
two perspectives on these: one, that they characterize saturated escape paths 
and two, that they characterize the semantics of the countermodel. 

To understand the first perspective, read the set A as consisting of all formu- 
las that appear as assumptions on the saturated escape path (on the left-hand 
side of sequents) and the set B as consisting of all formulas that appear as con- 
clusions (on the right-hand side of sequents). The Isabelle/HOL functions treeA 
and treeB collect these sets, respectively. 


Lemma 2 (Hintikka sets characterize saturated escape paths). Let A 
and B be sets of assumption and conclusion formulas on a saturated escape 
path. Then they fulfill all Hintikka requirements. In Isabelle, if epath steps and 
Saturated steps, then Hintikka (treeA steps) (treeB steps). 


Proof. We check each condition separately. 

Basic states that a predicate cannot appear as both assumption and con- 
clusion on the epath. Otherwise the AXIOM rule would have terminated the 
(infinite) epath. 

FisA states that -L does not appear among the assumptions. Similar to the 
above, the FLSL rule would have terminated the epath if so. 

ImpA and ImpB break down implications in accordance with the IMPL and 
IMPR rules. For a given p,q, if p —> q appears in A (respectively B), then at 
some point in the proof tree attempt, the rule IMPL p q (respectively IMPR p 
q) becomes enabled. Since the epath is saturated, any enabled rule is eventually 
taken and the effect matches the thesis. 

UniA states that any universally quantified formula Vp on the left is instan- 
tiated with all possible terms. Fix an arbitrary term ¢. Since Vp occurs as an 
assumption, the specific rule UNIL p t is eventually enabled, taken, and has the 
desired effect. 
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UniB is similar, except the witnessing term is the fresh variable. 


Remark 1. We see the usefulness of indexed rules in the above proof. If we 
simply had an IMPR rule, rather than an IMPR p q rule for each formula p and 
q, we would have to further argue that this rule eventually applies to exactly the 
implication p —> q we need it to. Perhaps we need to argue first that p — q 
eventually reaches the front of the sequent or similar delicate reasoning. This is 
where fairness concerns would show up. We have sidestepped the issue by using 
very specific rules. 


Consider now the second perspective. The countermodel in Fig.7 uses the 
term universe (also called Herbrand universe) where every variable and function 
symbol evaluates to itself. Thus, the universal quantifier, which ranges over a 
given domain, ranges over terms. Now, read the sets A and B as formulas we 
wish to satisfy and falsify, respectively. 


Lemma 3 (A Hintikka set induces a countermodel). Let A and B be sets 
of formulas fulfilling the Hintikka requirements. Then M A satisfies formulas in 
A and falsifies formulas in B. In Isabelle, if Hintikka A B then (p € A — M 
Ap) ^(ne€B—^MAp). 


Proof. By well founded induction on the size of the formula, such that the induc- 
tion hypothesis applies to subformulas and instances of universally quantified 
formulas. 

For L € A, this contradicts FlsA so the thesis holds vacuously. For L € B, 
the thesis holds trivially since L is falsified by every model. 

For +P ts € A, the thesis holds by the definition of M. For 1P ts € B, we 
cannot have tP ts € A due to Basic and so the thesis holds by the definition of 
M. 

For p —> q € A and p —> q € B the theses hold by the induction hypothe- 
ses at p and q and the conditions ImpA and ImpB, respectively. 

For Vp € A and Vp € B the theses hold by the induction hypotheses at (t)p 
for all t and by the conditions UniA and UniB, respectively. 


Any saturated escape path induces a countermodel, contradicting validity. 


Theorem 2 (Prover completeness). For any valid sequent, the prover ter- 
minates. 


Proof. If the prover does not find a proof, then by the framework, the proof 
attempt contains a saturated escape path. By Lemma 2, this epath fulfills the 
Hintikka requirements. By Lemma 3, we can build a model that satisfies every 
assumption formula and falsifies every conclusion formula. This model contra- 
dicts the validity of the sequent. 


We join the soundness and completeness theorems in a corollary on formulas. 


Corollary 1. The prover terminates if, and only if, the given formula is valid. 
In Isabelle, fix p :: fm and let t = prover ([], [p]), then tfinite t ^ wf t — (V(E 
scc tm) FG. |E, F, G] p). 
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